Submit a ticketCall us

AnnouncementsAre You “Flying Blind?”

When it comes to your complex IT infrastructure, you want to ensure you have a good grasp of what’s going on to avoid any fire drills that result from guesswork. Read our white paper to learn how proactively monitoring your IT environment can help your organization while giving you peace of mind.

Get your free white paper.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Some logon events have the IP address and others the hostname in the SourceMachine field

Some logon events have the IP address and others the hostname in the SourceMachine field

Table of contents

Updated: September 28, 2018

Overview

This article explains why some alerts show the logon from the hostname of a server or workstation and others from the IP address when searching through UserLogon alerts in nDepth.

Environment

All supported versions of LEM 

Detail

In situations like this, it is best to do a direct comparison between two example LEM Alerts.

See the AuthPackage field displaying NTLM V1 below. You may also see the AuthPackage display Kerberos.

  • A logon using the ipAddress rather than HostName may be authenticated by Kerberos.
  • A logon using HostName may be authenticated by NTLM

The key to identifying this type of issue is to perform a direct comparison between relevant LEM Alerts. The same event may be sent from different sources.

There is no way to completely avoid duplicates in the Windows environment.

 

 

Last modified

Tags

Classifications

Public