Forum

Ultimate Windows Security Forum » Security Log » 540 - Successful Network Logon » Trying to create alerts based on Event ID 540...

Trying to create alerts based on Event ID 540...

Rate Topic

Display Mode

Topic Options

Author

Message

rlanier

Posted 5/11/2011 9:18:15 AM

Forum Newbie

Group: Forum Members
Last Login: 5/11/2011 9:09:14 AM
Posts: 1, Visits: 0

I am trying to set up an alert using a central logging solution to inform me when ever a certain service account authenticates from any source IP other than the server hosting the log collection tool.

I was going to key on Event ID 540, the username, and configure the alert to hit if the authentication came from any IP other than the server hosting the log collection tool.

I have found that there are many log events (540) that have the Source Network Address blank. Can someone explain why this is??

Thanks!!!!!!

ROB

Post #677

RandyFranklinSmith

Posted 5/11/2011 1:07:17 PM

Expert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0

Blank IP probably means the client was on the same computer or possibly a non IP network protocol in use.

Post #678

« Prev Topic | Next Topic »

Permissions

All times are GMT -5:00, Time now is 5:01pm

Upcoming Webinars

Beyond IP/Hash/Domain: Leveraging Threat Feed Metadata for Better Context and Accuracy

Additional Resources

Home

Forum

User name:
Password:
	/ Forgot?
	Register

Home

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.