Forum

Ultimate Windows Security Forum » Security Log » 529 - Logon Failure - Unknown user name or... » source network address

source network address

Rate Topic

Display Mode

Topic Options

Author

Message

southside_steve

Posted 11/10/2009 11:26:12 AM

Forum Newbie

Group: Forum Members
Last Login: 11/16/2009 2:48:12 PM
Posts: 3, Visits: 5

Is there any way to get XP Pro to log the source network address in event 529 - or in another event? I am logging event 529 but there is no source IP address shown.

Post #262

RandyFranklinSmith

Posted 11/11/2009 12:22:10 PM

Expert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0

It is probably because of the authentication protocol in use. Can you post a sample of the event - obfuscate anything sensitive.

Post #263

southside_steve

Posted 11/13/2009 1:12:50 PM

Forum Newbie

Group: Forum Members
Last Login: 11/16/2009 2:48:12 PM
Posts: 3, Visits: 5

thanks for the reply - here is one of the events:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date:  11/7/2009
Time:  8:48:46 AM
User:  NT AUTHORITY\SYSTEM
Computer: LIPPY
Description:
Logon Failure:
  Reason:  Unknown user name or bad password
  User Name: user
  Domain:  LIPPY
  Logon Type: 10
  Logon Process: User32

Post #264

southside_steve

Posted 11/13/2009 1:19:21 PM

Forum Newbie

Group: Forum Members
Last Login: 11/16/2009 2:48:12 PM
Posts: 3, Visits: 5

Let me try that again - I left off the authentication line

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Post #265

RandyFranklinSmith

Posted 11/16/2009 11:25:38 AM

Expert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0

I guess there's a difference here between what gets logged for this event between XP and 2003. 2003 logs this. I thought XP logged this same information but from your post - apparently not.

Post #266

chucklank

Posted 7/8/2016 11:26:22 AM

Forum Newbie

Group: Forum Members
Last Login: 7/8/2016 11:15:00 AM
Posts: 1, Visits: 0

Having a similar problem. Our SIEM monitor receives the below and I can't track it down because no source address. Our SIEM service says several of their customers have the same problem and they've never been able to give them a solution.

SRV=NT2
SYSLOG_DATE=Jul 07 13:27:01
EVENT_DATE=Jul 07 2016 13:27:00
EVENT_PATH=[redacted]/172.20.10.47/1.14.255.1
EVENT_SOURCE=[redacted]
SOURCE=-
SOURCE_OBJECT=Microsoft-Windows-Security-Auditing
CALLER_USER_NAME=DFWNETDC1$
DOMAIN=[Redacted]
LOG_COUNT=1
LOGON_TYPE=3
MSG_NO=Security-Microsoft-Windows-Security-Auditing-4625
OBJECT_ACTION=Failure Audit
OBJECT_ID=An account failed to log on
OBJECT_NAME=Logon
OBJECT_PATH=Security
TARGET_PATH=C:\Windows\System32\svchost.exe
USER_NAME=cisco

Post #5230

derekthomas

Posted 7/24/2016 3:10:44 PM

Supreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0

Find the raw event on the workstation, what does Network Information show for source workstation and source IP. There should be something there for some of the events.
Workstation Name: WIN-R9H529RIO4Y
Source Network Address: 10.42.42.201

Post #6237

« Prev Topic | Next Topic »

Permissions

All times are GMT -5:00, Time now is 3:23am

Upcoming Webinars

Additional Resources

Home

Forum

User name:
Password:
	/ Forgot?
	Register

Home

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.