Trying to create alerts based on Event ID 540... Expand / Collapse
Author
Message
Posted 5/11/2011 9:18:15 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/11/2011 9:09:14 AM
Posts: 1, Visits: 0
I am trying to set up an alert using a central logging solution to inform me when ever a certain service account authenticates from any source IP other than the server hosting the log collection tool.

I was going to key on Event ID 540, the username, and configure the alert to hit if the authentication came from any IP other than the server hosting the log collection tool. 

I have found that there are many log events (540) that have the Source Network Address blank.  Can someone explain why this is??

Thanks!!!!!!

ROB

Post #677
Posted 5/11/2011 1:07:17 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Blank IP probably means the client was on the same computer or possibly a non IP network protocol in use.
Post #678
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 5:01pm