Failure Audit with LNSS_MONITOR_USR
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Failure Audit with LNSS_MONITOR_USR - 19.Aug.2008 9:33:36 AM
|
|
|
zypr3xa54
Posts: 8
Joined: 18.Aug.2008
Status: offline
|
I have Server1 on a domain. This server is the one with GFI installed on it. Then I have Server2 and Server3 in a DMZ. My problem is I have a scans setup for both server 2,3 and Server3 seems to work fine but, Server2 is filling the Eventsmanager with tons of Failure Audits. Here is the error im getting....
Event Origin Details:
Date: 8/19/2008
Time: 8:28:25 AM
Type: Failure Audit
Username: NT AUTHORITY\SYSTEM
Computer: Server2
Source: Security
Category: Logon/Logoff
Event ID: 529
Internal Event ID: 28D19A8B15
Rule Name: Logon failure - unknown user name or bad password - outside work hours
In Work Hours: No
Logon Failure:
Reason: Unknown user name or bad password
User Name: LNSS_MONITOR_USR
Domain: Domain
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: Server1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.0
Source Port: 0
More information:
User LNSS_MONITOR_USR from domain Domain tried to logon (Type 3) from the machine Server1 to the machine Server2 and specified either a bad username or bad password.
All servers on the domain have the LNSS_MONITOR_USR installed on them but the ones in the DMZ do not. Is this why I am getting the Failure Audits?
Thanks For The Help!!!
|
|
|
|
RE: Failure Audit with LNSS_MONITOR_USR - 19.Aug.2008 1:53:09 PM
|
|
|
spidermouse
Posts: 63
Joined: 27.Jul.2006
Status: offline
|
Hiya,
You might have to create a different scanning profile for your machines in the DMZ. I guess you are scanning under Domain admin credentials, so these will not work. There might be a mechanism that will make the NSS Scan fall back on trying the LNSS_MONITOR_USER account, which does not exist on the machines in the DMZ.
Try to create a separate scanning profile and giving that profile valid credentials for those two machines.
Alternatively, you can always tell EVM to ignore these events.
_____________________________
Regards,
Spidermouse
----------------------------------------------------------
Mythbusters - busting myths since 1972...
|
|
|
|
|
RE: Failure Audit with LNSS_MONITOR_USR - 19.Aug.2008 2:04:01 PM
|
|
|
zypr3xa54
Posts: 8
Joined: 18.Aug.2008
Status: offline
|
SpiderMouse,
Thanks for the tip Ill try it and see what I can come up with. Ill let you know.
Thanks
Travis
|
|
|
|
|
RE: Failure Audit with LNSS_MONITOR_USR - 21.Aug.2008 3:26:30 PM
|
|
|
zypr3xa54
Posts: 8
Joined: 18.Aug.2008
Status: offline
|
Spider,
That didnt do the trick even if I create a user for it to use and tell it to use it I still get the error of USER: LNSS_MONITOR_USER not able to log in.....
|
|
|
|
|
RE: Failure Audit with LNSS_MONITOR_USR - 21.Aug.2008 4:28:28 PM
|
|
|
spidermouse
Posts: 63
Joined: 27.Jul.2006
Status: offline
|
Take a look into the services.msc. Is the LNSS Service running under the LNSS_MONITOR_USER account? If that's the case, then I think NSS will always first attempt to run a scan under its own credentials and if that fails, it will take the credentials given in the scannng profile. Even if you cahnge it to something else, it will always raise the error on the target machine.
Creating the LNSS_MONITOR_USER on the target machine would also not work becasue I believe the service would be running under Domain\LNSS_MONITOR_USER, and that you can not create on the target machine.
I don't know if there is a way to force NSS to use the credentials given in the profile first. Might be a perculiarity of NSS. If this is all correct, then I'm afraid you have no choice but to tell Eventsmanager to ignore the event.
_____________________________
Regards,
Spidermouse
----------------------------------------------------------
Mythbusters - busting myths since 1972...
|
|
|
|
|
RE: Failure Audit with LNSS_MONITOR_USR - 27.Aug.2008 1:21:21 PM
|
|
|
zypr3xa54
Posts: 8
Joined: 18.Aug.2008
Status: offline
|
Spider,
I had to change the User Account that the Service for all GFI Products were running under to an account that I created with Admin rights. I do not see the Failure Audits on any new scans. Yippee.....
But....
I still have issues with DELL Open Manage telling me that packets are being lost on the two servers in the DMZ. It only seems to happen when the Scans are going on either one of the two servers. I have my scans set for 3 am and getting an email on my phone from DELL Open Manage is not cool that early in the morning...
Any Suggestions...????
Thanks For The Help!!!
Travis
|
|
|
|
|
RE: Failure Audit with LNSS_MONITOR_USR - 27.Aug.2008 1:24:49 PM
|
|
|
DrewE
Posts: 476
Joined: 28.Apr.2008
From: Cary, NC
Status: offline
|
Packet loss can be attributed to a lot of factors. Do you get these messages if the scans occur manually during the day? We may need to look into WireShark a free packet logging utility so we can better understand what is happening.
_____________________________
Drew Easley - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Failure Audit with LNSS_MONITOR_USR - 27.Aug.2008 1:26:56 PM
|
|
|
zypr3xa54
Posts: 8
Joined: 18.Aug.2008
Status: offline
|
Drew,
Yes I did a scan in Mid-Day today and I had 3 emails from Open Manage come in...
I will check out wireshark.. And see what I can come up with..
Thanks
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
