Submit a ticketCall us

WebinarWebinar: A checklist for planning your Network Performance Monitor (NPM) upgrade

Are you ready for your next upgrade? To help you plan smoothly, join this webcast to learn more about, SolarWinds® Orion® Installer, SolarWinds Upgrade Advisor, Upgrades Guides, Training Videos, and other resources available. We’ll share key upgrade planning considerations, lessons learned from customers with practical advice from SolarWinds Product Experts. We’ll also give practical tips to identify the estimated time needed and resources, how to prepare the business and IT staff for changes, ways to plan for required system changes, and more.

Register now.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Some logon events have the IP address and others the hostname in the SourceMachine field

Some logon events have the IP address and others the hostname in the SourceMachine field

Table of contents

Updated: September 28, 2018


This article explains why some alerts show the logon from the hostname of a server or workstation and others from the IP address when searching through UserLogon alerts in nDepth.


All supported versions of LEM 


In situations like this, it is best to do a direct comparison between two example LEM Alerts.

See the AuthPackage field displaying NTLM V1 below. You may also see the AuthPackage display Kerberos.

  • A logon using the ipAddress rather than HostName may be authenticated by Kerberos.
  • A logon using HostName may be authenticated by NTLM

The key to identifying this type of issue is to perform a direct comparison between relevant LEM Alerts. The same event may be sent from different sources.

There is no way to completely avoid duplicates in the Windows environment.



Last modified