Submit a ticketCall us
Home > Success Center > User Device Tracker (UDT) > UDT 3.2.4 - Windows Security Events referencing SolarWinds.BusinessLayerHost.exe

UDT 3.2.4 - Windows Security Events referencing SolarWinds.BusinessLayerHost.exe

Updated: December 20, 2017

Overview

  • Window logon audit events are flooded with particular solarwinds events.
    • Events are referencing the Solarwinds businesslayerhost.exe
    • This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. 

 

  • Example:
    • Windows Events
      5/25/2017 5.02.10 am -  5.02.19 am

      Category = -12544

      Subject:

                      Security ID:                              S-1-0-0

                      Account Name:                       -

                      Account Domain:                    -

                      Logon ID:                 0xd98b

                      Logon GUID:                            {00000000-0000-0000-0000-000000000000}

      Account Whose Credentials Were Used:

                      Account Name:                       systemadministrator77

                      Account Domain:                   

                      Logon GUID:                            {00000000-0000-0000-0000-000000000000}

      Target Server:

                      Target Server Name:             YourServername.domain.local

                      Additional Information:          YourServername.domain.local

      Process Information:

                      Process ID:                              0x2ccc

                      Process Name:                        C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.BusinessLayerHost.exe

      Network Information:

                      Network Address:   -

                      Port:       

Environment

  • UDT 3.2.4, NPM 12.1

 

Cause 

 

  • Some problem is in some UDT credentials
    • This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. 

    • This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
       

  • Example:
    • It looks like your using credential ID '24' which is incorrect for that AD controller.
    • You will need to edit AD properties in part of credentials and may try to correct old ID '24' credential or create new "right" credentials and assign it for appropriate AD.
    • It should be http://localhost/Orion/UDT/ManageDomainControllers.aspx page.
       
  • UDT BusinessLayer Host log:
    • 2017-05-31 04:02:03,911 [ 39] ERROR - Exeception getting AD searcher with credential ID '24'. Details: The user name or password is incorrect. [SolarWinds.UDT.BusinessLayer.NetworkUser.ADUserUpdater]

 

Resolution

  • Steps to resolve:

    • We assume that the problem is in some UDT credentials and recommend the next steps:
    • If your UDT Environment is only polling UDT via SNMP, and not using AD polling.
    • If not using AD Accounts on UDT, then there may be orphaned UDT Credentials in SDF or credentials table.
    • As a result, it should be safe to delete as UDT shouldn't be using any of those AD accounts.
    • UDT in this instance is only polling Layer 2 or Layer 3 polling via SNMP Credentials.


Steps

  • Create backup data of 'Credential' table in OrionSolarWinds Database
  • Run sql script on OrionSolarWinds Data base 
    • 'Select * FROM [dbo].[Credential] where CredentialOwner='UDT''
  • If select returns credentials with that we are seeing errors for, then delete these records from 'Credential' table. 
  • SQL script for delete UDT credentials
    • 'DELETE FROM [dbo].[Credential] where CredentialOwner='UDT'' and restart all Orion services


If still an issue, also rebuild the SDF files:

  • Replace the Collector Files
  1. Stop all Orion services from Orion Service Manager.
  2. Go to C:\ProgramData\Solarwinds\Collector\Data\Polling Controllor.sdffile
    • Rename hem to *******OLD.sdf 
  3. Then create a copy of C:\ProgramData\Solarwinds\Collector\Data\***** Blank.sdf.
    • Rename it to PollingControllor.sdf.
  4. This way you have the old one to revert back to and you always have a blank copy in case of issue reoccurs. 
  5. Right click on properties of the .sdf you have created and deselect the read-only box and click ok.


To replace one or both job engine databases:

  1. Log on to your Orion server using an account with administrative rights.
  2. Click Start > All Programs > SolarWinds Orion > Advanced Features > Orion Service Manager.
  3. Click Shutdown EverythingNote: It may take a few minutes to stop all services.
     
  4. If you are replacing the job engine version 2 database, complete the following steps:
    1. Make a backup copy of JobEngine35.sdf as JobEngine35.old.
      • The default location of this file on Windows Server 2008 is C:\ProgramData\SolarWinds\JobEngine.v2\Data\.
    2. Make a copy of JobEngine35 - Blank.sdf and rename it as JobEngine35.sdf.
      • The default location of this file on Windows Server 2008 is C:\ProgramData\SolarWinds\JobEngine.v2\Data\.
    3. Right-click JobEngine35.sdf, as renamed in the previous step.
    4. Click Properties.
    5. Clear the Read-only option.
  5. On your Orion server, Start > All Programs > SolarWinds Orion > Advanced Features > Orion Service Manager.
  6. Click Start EverythingNote: It may take a few minutes to start all services.

 

If it doesn't help please do the next steps:

  • 1) Switch UDT log level to 'All' by Orion Log Adjuster.
  • 2) Wait while new Window logon audit event occurs
  • 3) Collect new Diagnostic
  • 4) Switch UDT log level back to 'INFO' for saving disk space.
  • 5) Log a support case.
 

 

Last modified

Tags

Classifications

Public