Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Multiple events received for a single logon

Multiple events received for a single logon

Created by Craig O’ Neill, last modified by Tim Rush on Apr 04, 2017

Views: 825 Votes: 0 Revisions: 7

Overview

Multiple events are being received for a single logon from the Domain Controller.

Environment

  • All LEM versions
  • Windows Environment

Cause 

This can occur because of how Windows logs events to the event logs, and LEM connectors read the event logs. Your search for User.Logon type events are being displayed (like below). LEM receives the events, but you can modify the search filter to view only specific types of logon events.

For example, the following shows two events received by LEM for the same action:

event comparison

4624  An account was successfully logged on

4776  The domain controller attempted to validate the credentials for an account

Resolution

Instead of using UserLogon as your filter or trigger, determine and use the relevant Windows EventID.

In LEM, this can be done by using ProviderSID to provide a more concise scope for the search.

example filter

Note: Where an agent is installed on a workstation and there are two Domain Controllers, it is possible that a Logon event may be sent to LEM from three different sources. For a list of Windows EventIDs, see Here.

 

Last modified

Tags

Classifications

Public