Hide this message
Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at firstname.lastname@example.org
Updated June 13, 2016
This article explains why some alerts show the logon from the hostname of a server or workstation and others from the IP address when searching through UserLogon alerts in nDepth.
All supported versions of LEM
In situations like this, it is best to do a direct comparison between two example LEM Alerts.
Note the AuthPackage:NTLM V1 field. You may also see the AuthPackage be 'Kerberos.'
The key to identifying this type of issue is to perform a direct comparison between relevant LEM Alerts. The same event may be sent from different sources.
Note: There is no way to completely avoid duplicates in the Windows environment.