Submit a ticketCall us

WebinarUpcoming Webinar: How Help Desk and Remote Support Pays for Itself

Learn how help desk software can simplify ticketing management, allow you to track hardware and software assets, and accelerate the speed of IT support and service delivery. Gain insights on how remote support tools allow your IT team to maximize their efficiency and ticket resolution by expediting desktop troubleshooting, ultimately helping keep end-users happy and productive.

Register here.

Home > Success Center > Log & Event Manager (LEM) > Some logon events have the IP address and others the hostname in the SourceMachine field

Some logon events have the IP address and others the hostname in the SourceMachine field

Table of contents
Created by Craig O’ Neill, last modified by MindTouch on Jun 23, 2016

Views: 839 Votes: 1 Revisions: 5

Updated June 13, 2016

Overview

This article explains why some alerts show the logon from the hostname of a server or workstation and others from the IP address when searching through UserLogon alerts in nDepth.

Environment

All supported versions of LEM 

Detail

In situations like this, it is best to do a direct comparison between two example LEM Alerts.

Note the AuthPackage:NTLM V1 field. You may also see the AuthPackage be 'Kerberos.'

  • A logon using the ipAddress rather than HostName may be authenticated by Kerberos.
  • A logon using HostName may be authenticated by NTLM

The key to identifying this type of issue is to perform a direct comparison between relevant LEM Alerts. The same event may be sent from different sources.

 

Note: There is no way to completely avoid duplicates in the Windows environment.

 

 

Last modified

Tags

Classifications

Public