Re: Failure Audit Event 681: Any way to get the Offending IP Address?
From: Eric Fitzgerald [MSFT] (ericf@online.microsoft.com)
Date: 12/31/02
- Next message: Karl Levinson [x y] mvp: "Re: Help with possible hacker..."
- Previous message: Karl Levinson [x y] mvp: "Re: unable to logon"
- In reply to: Tom Rossi: "Failure Audit Event 681: Any way to get the Offending IP Address?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com> Date: Tue, 31 Dec 2002 13:26:57 -0800
Not currently; we're adding IP address to logon events in Windows .NET
Server.
Eric
-- Eric Fitzgerald Program Manager, Windows Auditing and Intrusion Detection Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "Tom Rossi" <TomRossi7@yahoo.com> wrote in message news:cb00dd30.0212240722.1293606a@posting.google.com... > I have noticed a ton of failed login attempts to one my W2K servers. > I have the events in my security log, but it only tells me a hostname > for the computer. Is there a way to get the IP Address? > > Here is an example: > > 12/23/2002 12:18:25 PM Security Failure Audit Account Logon 681 NT > AUTHORITY\SYSTEM SERVERNAME The logon to account: MemProxyUser1 > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > from workstation: SPSERVER > failed. The error code was: 3221226036 > > Thanks, > Tom Rossi
- Next message: Karl Levinson [x y] mvp: "Re: Help with possible hacker..."
- Previous message: Karl Levinson [x y] mvp: "Re: unable to logon"
- In reply to: Tom Rossi: "Failure Audit Event 681: Any way to get the Offending IP Address?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
