Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

ESM 8.1

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Networking & Security] >> GFI EventsManager >> ESM 8.1 Page: [1]
Login
Message << Older Topic   Newer Topic >>
ESM 8.1 - 7.Sep.2009 9:10:41 AM   
KenEric

 

Posts: 15
Score: 0
Joined: 27.Jun.2008
Status: offline 		Good Day:

I have recently upgraded from ESM 7 to ESM 8.1. The upgrade executed with out any problems. However, since the upgrade I have seen an increase of Event IDs 675 and 529 being reported into the Failed logon report.

The user accounts being reported are valid service accounts or the account is krbtgt/wi which I'm not famliar with.

These entries are appearing evey minute which makes this report quite lengthly.

Can you suggest how can I reduce the size of this report i.e. what to modify to reduce this report to a mangeable level?


Ken
Post #: 1
RE: ESM 8.1 - 8.Sep.2009 9:43:13 AM   
DrewE

 

Posts: 1058
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		Can you tell me what account the GFI EventsManager service is using?

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to KenEric)
Post #: 2
RE: ESM 8.1 - 8.Sep.2009 11:40:19 AM   
KenEric

 

Posts: 15
Score: 0
Joined: 27.Jun.2008
Status: offline 		I'm currently using an administrator account

(in reply to DrewE)
Post #: 3
RE: ESM 8.1 - 8.Sep.2009 12:46:12 PM   
DrewE

 

Posts: 1058
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		Can you post any details about these logon failures events from the Events Browser section?

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to KenEric)
Post #: 4
RE: ESM 8.1 - 8.Sep.2009 2:42:11 PM   
KenEric

 

Posts: 15
Score: 0
Joined: 27.Jun.2008
Status: offline 		Below are samples of the errors that I'm experiencing:-

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 9/8/2009
Time: 8:27:22 AM
User: NT AUTHORITY\SYSTEM
Computer: CBBBD-D3-WI2
Description:
Pre-authentication failed:
User Name: CBBBD-VPMDES001$
User ID: WI\CBBBD-VPMDES001$
Service Name: krbtgt/WI.CIBC.COM
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.129.23.150


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 9/8/2009
Time: 2:08:42 PM
User: NT AUTHORITY\SYSTEM
Computer: CBBBD-W3MSD06
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: sqlexecbbd
Domain: wi
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: CBBBD-W3MSD06
Caller User Name: LoggerBBD
Caller Domain: WI
Caller Logon ID: (0x0,0x12EE19AF)
Caller Process ID: 5292
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

(in reply to DrewE)
Post #: 5
RE: ESM 8.1 - 8.Sep.2009 5:16:36 PM   
DrewE

 

Posts: 1058
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		Can you further explain what machine has the IP address: 10.129.23.150? (CBBBD-D3-WI2?) This should help identify where the first set of failures are coming from. In regards to the second failure you sent - It seems to be SQL related.

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to KenEric)
Post #: 6
RE: ESM 8.1 - 9.Sep.2009 9:39:05 AM   
KenEric

 

Posts: 15
Score: 0
Joined: 27.Jun.2008
Status: offline 		for clarification Cbbbd-D3-WI2 is a domain controller. While IP 150 is the firewall. Two separate devices.

Please clarify what you mean that the secon failure is sql related. As the server is the sql server and the userid is valid.

(in reply to DrewE)
Post #: 7
RE: ESM 8.1 - 9.Sep.2009 10:44:10 AM   
DrewE

 

Posts: 1058
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		For the firewall, do you perhaps have GFI EventsManager trying to collect anything other than SysLogs from this device?

Also, for the SQL server it seems like something is trying to connect to the SQL server with an incorrect password for some reason. Perhaps ensuring GFI EventsManager uses SQL Authentication instead of Windows Authentication should help narrow down what is happening. Also, open Task Manager, look at the processes tab, then add the "Process ID" column (PID) Look at the latest event log and determine what process shared the PID - In the example above the PID is 5292

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to KenEric)
Post #: 8
RE: ESM 8.1 - 9.Sep.2009 10:50:07 AM   
KenEric

 

Posts: 15
Score: 0
Joined: 27.Jun.2008
Status: offline 		GFI is not collecting any data from IP 150

I will investigate the sql server and revert back with additional information.

(in reply to DrewE)
Post #: 9
Page:   [1]
All Forums >> [Networking & Security] >> GFI EventsManager >> ESM 8.1 Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts