Logon Failure - Where is the culprit IP.

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi All,

I am getting 529 Errors multiple times in day on different domain
controllers. How can I find Which machine or IP Address is the generator of
it.
Event Log Details - Event I 529. Category Logon/Logoff

Logon Failure:
Reason: Unknown user name or bad password
User Name: User1
Domain: Domain1
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: DC1

I tried the Network monitor but could not get anythig of it. I need some
pointers or help to some documents/procedures/Tools or ideas.

Thanks
IK
 
Workstation: DC1.

Is that a machine on your network? If not, do you have a good firewall in
place to protect your network from the Internet?
 
The only way to get the culprit IP is to use a firewall, sniffer or router
logs [possibly with a free syslog client like www.kiwisyslog.com].
www.sygate.com and www.kerio.com are more or less free firewalls. Ethereal
is a free sniffer. You would need to manually try to correlate the IP /
firewall logs with your windows event logs, or you can use a free tool like
NTSYSLOG to spit both logs into one syslog in realtime for easier
correlation.
 
Thanks for the reply.

The security team is quite on thier toes always and they have blocked all
access to internal networks.
I am using NTsyslog to forward my logs to a syslog server. I will check with
my security team to correlate firewall logs wth Windows Sec Logs.

Meanwhile I want to know what should I look for in the Network Monitor.
Secondly, is it possible that a machine with 2 NIC's can present itself with
the First NIC IP address.

Thanks
IK

Karl Levinson [x y] mvp said:
The only way to get the culprit IP is to use a firewall, sniffer or router
logs [possibly with a free syslog client like www.kiwisyslog.com].
www.sygate.com and www.kerio.com are more or less free firewalls. Ethereal
is a free sniffer. You would need to manually try to correlate the IP /
firewall logs with your windows event logs, or you can use a free tool like
NTSYSLOG to spit both logs into one syslog in realtime for easier
correlation.


Hi All,

I am getting 529 Errors multiple times in day on different domain
controllers. How can I find Which machine or IP Address is the generator of
it.
Event Log Details - Event I 529. Category Logon/Logoff

Logon Failure:
Reason: Unknown user name or bad password
User Name: User1
Domain: Domain1
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: DC1

I tried the Network monitor but could not get anythig of it. I need some
pointers or help to some documents/procedures/Tools or ideas.

Thanks
IK
Click to expand...
Click to expand...
 
Back
Top