Submit a ticketCall us
Home > Success Center > Log & Event Manager (LEM) > Some logon events have the IP address and others the hostname in the SourceMachine field

Some logon events have the IP address and others the hostname in the SourceMachine field

Table of contents
Created by Craig O’ Neill, last modified by MindTouch on Jun 23, 2016

Views: 22 Votes: 1 Revisions: 5

Updated June 13, 2016

Overview

This article explains why some alerts show the logon from the hostname of a server or workstation and others from the IP address when searching through UserLogon alerts in nDepth.

Environment

All supported versions of LEM 

Detail

In situations like this, it is best to do a direct comparison between two example LEM Alerts.

Note the AuthPackage:NTLM V1 field. You may also see the AuthPackage be 'Kerberos.'

  • A logon using the ipAddress rather than HostName may be authenticated by Kerberos.
  • A logon using HostName may be authenticated by NTLM

The key to identifying this type of issue is to perform a direct comparison between relevant LEM Alerts. The same event may be sent from different sources.

 

Note: There is no way to completely avoid duplicates in the Windows environment.

 

 

Last modified
20:22, 22 Jun 2016

Tags

Classifications

Public