source network address Expand / Collapse
Author
Message
Posted 11/10/2009 11:26:12 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 11/16/2009 2:48:12 PM
Posts: 3, Visits: 5
Is there any way to get XP Pro to log the source network address in event 529 - or in another event? I am logging event 529 but there is no source IP address shown.
Post #262
Posted 11/11/2009 12:22:10 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
It is probably because of the authentication protocol in use.  Can you post a sample of the event - obfuscate anything sensitive.
Post #263
Posted 11/13/2009 1:12:50 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 11/16/2009 2:48:12 PM
Posts: 3, Visits: 5
thanks for the reply - here is one of the events:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date:  11/7/2009
Time:  8:48:46 AM
User:  NT AUTHORITY\SYSTEM
Computer: LIPPY
Description:
Logon Failure:
  Reason:  Unknown user name or bad password
  User Name: user
  Domain:  LIPPY
  Logon Type: 10
  Logon Process: User32 
 

Post #264
Posted 11/13/2009 1:19:21 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 11/16/2009 2:48:12 PM
Posts: 3, Visits: 5
Let me try that again - I left off the authentication line

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date:  11/7/2009
Time:  8:48:46 AM
User:  NT AUTHORITY\SYSTEM
Computer: LIPPY
Description:
Logon Failure:
  Reason:  Unknown user name or bad password
  User Name: user
  Domain:  LIPPY
  Logon Type: 10
  Logon Process: User32 
  Authentication Package: Negotiate
  Workstation Name: LAPPY

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Post #265
Posted 11/16/2009 11:25:38 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
I guess there's a difference here between what gets logged for this event between XP and 2003.  2003 logs this.   I thought XP logged this same information but from your post - apparently not. 
Post #266
Posted 7/8/2016 11:26:22 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/8/2016 11:15:00 AM
Posts: 1, Visits: 0
Having a similar problem. Our SIEM monitor receives the below and I can't track it down because no source address. Our SIEM service says several of their customers have the same problem and they've never been able to give them a solution.

SRV=NT2
SYSLOG_DATE=Jul 07 13:27:01
EVENT_DATE=Jul 07 2016 13:27:00
EVENT_PATH=[redacted]/172.20.10.47/1.14.255.1
EVENT_SOURCE=[redacted]
SOURCE=-
SOURCE_OBJECT=Microsoft-Windows-Security-Auditing
CALLER_USER_NAME=DFWNETDC1$
DOMAIN=[Redacted]
LOG_COUNT=1
LOGON_TYPE=3
MSG_NO=Security-Microsoft-Windows-Security-Auditing-4625
OBJECT_ACTION=Failure Audit
OBJECT_ID=An account failed to log on
OBJECT_NAME=Logon
OBJECT_PATH=Security
TARGET_PATH=C:\Windows\System32\svchost.exe
USER_NAME=cisco
Post #5230
Posted 7/24/2016 3:10:44 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
Find the raw event on the workstation, what does Network Information show for source workstation and source IP. There should be something there for some of the events.
Workstation Name: WIN-R9H529RIO4Y
Source Network Address: 10.42.42.201
Post #6237
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 11:30am