Re: Event ID 529 Question
- From: "Siv" <g@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 24 Feb 2008 23:52:03 -0000
Teneo,
Neat idea, I'll have a look at that and report back my findings, certainly does seem better than routing through the logs looking for a needle in a haystack.
Siv
"Teneo" <not@xxxxxxxx> wrote in message news:%232v7TdzdIHA.1168@xxxxxxxxxxxxxxxxxxxxxxx
Cool
May find the following useful to email you an alert instead of having to
manually check the logs..(assuming you have configured monitoring and reporting)
http://msmvps.com/blogs/bradley/archive/2005/01/31/34556.aspx
"Siv" <g@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0B89A668-2D1D-4161-BEAE-1366EDF86F57@xxxxxxxxxxxxxxxxTeneo,
Cheers, now I have found it and turned all logging tick boxes on.
Let's see what we find in a day or so.
Thanks for this.
Siv
"Teneo" <not@xxxxxxxx> wrote in message news:%23mwg6zydIHA.4260@xxxxxxxxxxxxxxxxxxxxxxxHi Siv
Main Server, Protocols, SMTP, here you find default smtp virtual server, right mouse click, properties and at the bottom click enable logging, then properties and advanced..
"Siv" <g@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:69D97E88-4C21-4A4A-A8F5-627AFB4D9F8C@xxxxxxxxxxxxxxxxTeneo,
If I go into exchange do I click on the main server name or the SMTP Connector as I can't find the Advanced tab that you are talking about? I can see the "Diagnostic Logging tab" and the "Monitoring" tab neither seems to sound like what you are talking about.
If I go into the SMTP Connector and right-click that and go "Properties" I do get an "Advanced" tab but that has all the "send HELO instead of EHLO" type stuff which again doesn't look like what you are talking about?
Please advise, I am confused about where you are going to turn the logging on.
Thanks for your advice.
Siv
"Teneo" <not@xxxxxxxx> wrote in message news:%23YKTSzudIHA.4144@xxxxxxxxxxxxxxxxxxxxxxxHi Siv
we are seeing these also. Im pretty sure its to do with hacking attempt on port 25
Switch on logging on your default smtp server, need to click properties / advanced to tick options require ( I tick them all...lol )
Then in windows\system32\logfiles will see SMTPSVC1
Here you can look up the time and see the IP and if have ISA can block the IP.
Hope it helps.
"Siv" <g@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:F2B333D5-B641-4F6C-8337-1E8897B03974@xxxxxxxxxxxxxxxxJust lately I have been seeing this in the event logs:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Mickey
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER01
Caller User Name: SERVER01$
Caller Domain: DIRECT
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1608
Transited Services: -
Source Network Address: -
Source Port: -
There is no "Mickey" user on our network, so it worries me that we have a hacker trying to get in using brute force logins as this occurred 45 times. Usually when you get this you see a source port and source IP Address, but these are not listed? We use wireless networking as well as the wired network so it is possible that someone could be attempting to login from outside the building using wireless, could this be why there is no IP or Port listed?
Any help/advice gratefully accepted.
Siv
.
- References:
- Event ID 529 Question
- From: Siv
- Re: Event ID 529 Question
- From: Teneo
- Re: Event ID 529 Question
- From: Siv
- Re: Event ID 529 Question
- From: Teneo
- Re: Event ID 529 Question
- From: Siv
- Re: Event ID 529 Question
- From: Teneo
- Event ID 529 Question
- Prev by Date: Re: Microsoft##SSEE SQL Server (what is it?)
- Next by Date: Re: Getting ready to reinstall SBS...defrag questions
- Previous by thread: Re: Event ID 529 Question
- Next by thread: Microsoft##SSEE SQL Server (what is it?)
- Index(es):
Relevant Pages
|
