Submit a ticketCall us

Solarwinds & Cisco Live! Barcelona
Join us from the 29th of January to the 2nd of February at Cisco Live 2018 in Barcelona, where we will continue to show how monitoring the network with SolarWinds will keep you ahead of the game. At our booth (WEP 1A), we will demonstrate how SolarWinds network solutions can help. As a bonus, we are also hosting a pre-event webinar - Blame the Network, Hybrid IT Edition with our SolarWinds Head Geek™, Patrick Hubbard on January 24th - GMT (UTC+0): 10:00 a.m. to 11:00 a.m. There's still time to RSVP.

Home > Success Center > Log & Event Manager (LEM) > Some logon events have the IP address and others the hostname in the SourceMachine field

Some logon events have the IP address and others the hostname in the SourceMachine field

Table of contents
Created by Craig O’ Neill, last modified by MindTouch on Jun 23, 2016

Views: 782 Votes: 1 Revisions: 5

Updated June 13, 2016

Overview

This article explains why some alerts show the logon from the hostname of a server or workstation and others from the IP address when searching through UserLogon alerts in nDepth.

Environment

All supported versions of LEM 

Detail

In situations like this, it is best to do a direct comparison between two example LEM Alerts.

Note the AuthPackage:NTLM V1 field. You may also see the AuthPackage be 'Kerberos.'

  • A logon using the ipAddress rather than HostName may be authenticated by Kerberos.
  • A logon using HostName may be authenticated by NTLM

The key to identifying this type of issue is to perform a direct comparison between relevant LEM Alerts. The same event may be sent from different sources.

 

Note: There is no way to completely avoid duplicates in the Windows environment.

 

 

Last modified

Tags

Classifications

Public