How to ignore successful network logons on specific servers
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
How to ignore successful network logons on specific ser... - 25.Jul.2007 8:32:11 AM
|
|
|
lovab
Posts: 4
Score: 0
Joined: 25.Jul.2007
Status: offline
|
Dear Guys,
I've been reading thru the forum to find a solution for my problem.
Our domain produces about 15000 successful logon events /ID:540/ per day. Most of the logs are comming from 3-4 servers. I wish to filter any 540 events coming from these server, however I'm unable to do so.
One of GFI support guys suggested in the forum to create a noise filter and set the User field to the name of the server. Unfortunately this didn't produce the results.
Unfortunately the logs I'm getting has no proper info in any of the Fields that would allow me to create a nuice filter.
Any idea how this could be done? Thank you!
< Message edited by lovab -- 1.Aug.2007 6:25:12 PM >
|
|
|
|
|
RE: How to ignore successful network logons at specific... - 30.Jul.2007 11:06:29 AM
|
|
|
Mark Busuttil
Posts: 4836
Score: 0
Joined: 16.Oct.2005
Status: offline
|
Can you please Copy the Event in question in this thread? You are able to remove any confidential information from the event before posting it.
Also, can you please clarify what filter you have created within EventsManager?
Thank you!
_____________________________
Regards,
Mark Busuttil
GFI Software Ltd - www.gfi.com
Messaging, Content Security & Network Security Software
GFI: MailEssentials - MailSecurity - MailArchiver - FAXmaker - LANguard – WebMonitor
|
|
|
|
|
RE: How to ignore successful network logons at specific... - 30.Jul.2007 4:04:41 PM
|
|
|
lovab
Posts: 4
Score: 0
Joined: 25.Jul.2007
Status: offline
|
Hi,
Thanks for the reply.
This is the eventlog entry i'm struggling with (bold is sanitized info):
------------------------------------------
Event Origin Details:
Date: 7/30/2007
Time: 9:58:00 PM
Type: Success Audit
Username: domain\user
Computer: servername
Source: Security
Category: Logon/Logoff
Event ID: 540
Internal Event ID: 794CE20F45
Rule Name: Successful Network Logon - during work hours
In Work Hours: Yes
Successful Network Logon:
User Name: username
Domain: domainname
Logon ID: (0x0,0x84DA83B)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: workstationname
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
----------------------------------------------------------------
I've created a new rule set group, moved it to the top of the groups and created a noise rule, where the
- Security log is selected
- Conditions - Eventid 540, user: <name of the server$>, no event type selected
Despite the above rule, the successfull logon section is flooded with 540's from this server.
I'd be grateful for further assistance... thx
|
|
|
|
|
RE: How to ignore successful network logons at specific... - 1.Aug.2007 11:48:47 AM
|
|
|
Mark Busuttil
Posts: 4836
Score: 0
Joined: 16.Oct.2005
Status: offline
|
When you mean you created a new Noise Rule, does this mean that you created a new processing processing rule under the Noise Reduction Folder?
Within the computer profile that the machine is currently defined in, can you please ensure that the Noise Reduction Rule Set is set to a higher priority then the Security Rule Set. You can double check this in the following:
a) Configuration > Event Sources > Windows Event Logs
b) Process using these rule sets:
Keeping CRTL Press down + Upward Arrow button, set that the Noise reduction rule set is at highest priority
Thank you!
_____________________________
Regards,
Mark Busuttil
GFI Software Ltd - www.gfi.com
Messaging, Content Security & Network Security Software
GFI: MailEssentials - MailSecurity - MailArchiver - FAXmaker - LANguard – WebMonitor
|
|
|
|
|
RE: How to ignore successful network logons at specific... - 1.Aug.2007 11:57:16 AM
|
|
|
lovab
Posts: 4
Score: 0
Joined: 25.Jul.2007
Status: offline
|
Dear Mark,
As I stated in my previous post:
quote:
moved it to the top of the groups and created a noise rule
So this rule is the very first one: top group and prio1 rule within the group.
|
|
|
|
|
RE: How to ignore successful network logons at specific... - 3.Aug.2007 11:45:11 AM
|
|
|
Mark Busuttil
Posts: 4836
Score: 0
Joined: 16.Oct.2005
Status: offline
|
This issue is currently being handled by e-mail support. The reference number(s) used are:
CAS-23698 - lovab
NOTE: We have sent you an email on the address that you have registered over the forums with.
Should you require any updates or further information, kindly contact us using the support form at the following link:
http://support.gfi.com/supportrequestform.asp
_____________________________
Regards,
Mark Busuttil
GFI Software Ltd - www.gfi.com
Messaging, Content Security & Network Security Software
GFI: MailEssentials - MailSecurity - MailArchiver - FAXmaker - LANguard – WebMonitor
|
|
|
|
|
RE: How to ignore successful network logons at specific... - 14.Sep.2007 2:54:07 AM
|
|
|
Mark Busuttil
Posts: 4836
Score: 0
Joined: 16.Oct.2005
Status: offline
|
We have tried to contact you using the email address which was used to register on the forums. The correspondance was given the reference numbers shown in my previous post.
However we have not received any response yet. Kindly reply to our correspondance so we can continue troubleshooting this issue.
Thank you.
_____________________________
Regards,
Mark Busuttil
GFI Software Ltd - www.gfi.com
Messaging, Content Security & Network Security Software
GFI: MailEssentials - MailSecurity - MailArchiver - FAXmaker - LANguard – WebMonitor
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
