Hide this message
Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at email@example.com
Multiple events are being received for a single logon from the Domain Controller.
This can occur when you are searching for User.Logon type events in LEM.
For example, the following shows two events received by LEM for the same action:
4624 An account was successfully logged on
4776 The domain controller attempted to validate the credentials for an account
Instead of using UserLogon as your filter or trigger, determine and use the relevant Windows EventID.
In LEM, this can be done by using ProviderSID to provide a more concise scope for the search.
Note: Where an agent is installed on a workstation and there are two Domain Controllers, it is possible that a Logon event may be sent to LEM from three different sources. For a list of Windows EventIDs, see Here.