Missing IP address in Security Audit

[ronald]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,
not sure if you come across this problem.

I have a domain with 8 members servers. Apparently we had turn on security
audit for successful logon as well.

The problem is user name, server name etc are correctly captured in the
event log(Security( but it does not capture the correct IP of the remote host
that login to the domain. The IP shown in the log is 127.0.0.1(local host
address). Can anyone help and advise any settings that I have miss out?

Regards
Ronald

 

[ronald]

Archived from groups: microsoft.public.win2000.security (More info?)

more information, as you can see, I login from a remote PC to the domain, but
the logon shows the client IP as 127.0.0.1

Authentication Ticket Granted:
User Name: Administrator
Supplied Realm Name: ALTDOMAIN
User ID: %{S-1-5-21-1390850448-2335789268-393128203-500}
Service Name: krbtgt
Service ID: %{S-1-5-21-1390850448-2335789268-393128203-502}
Ticket Options: 0x40810010
Ticket Encryption Type: 0x17
Pre-Authentication Type: 2
Client Address: 127.0.0.1

"Ronald" wrote:

> Hi All,
> not sure if you come across this problem.
>
> I have a domain with 8 members servers. Apparently we had turn on security
> audit for successful logon as well.
>
> The problem is user name, server name etc are correctly captured in the
> event log(Security( but it does not capture the correct IP of the remote host
> that login to the domain. The IP shown in the log is 127.0.0.1(local host
> address). Can anyone help and advise any settings that I have miss out?
>
> Regards
> Ronald
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Be sure you check all the logon event entries. I also see a lot of what you
describe but I also do see events logged with the computer IP as shown
below. I admit that Windows account logon auditing is less than friendly as
in the user is always shown as system in the security log table. If you
enable auditing of logon events in domain computers a logon event will also
be recorded on the domain computer when a domain user logs onto it. ---
Steve

Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 3/9/2005
Time: 8:58:13 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER1-2003
Description:
Service Ticket Request:
User Name: Administrator@Test1.COM
User Domain: TEST1.COM
Service Name: SERVER1-2003$
Service ID: TEST1\SERVER1-2003$
Ticket Options: 0x40800000
Ticket Encryption Type: 0x17
Client Address: 192.168.1.52
Failure Code: -
Logon GUID: {831290c7-686c-b3cd-0a2f-16c434e9b3fb}
Transited Services: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



"Ronald" <Ronald@discussions.microsoft.com> wrote in message
news:C13A9AAC-5E97-4A99-A5DD-95282313C6A0@microsoft.com...
> more information, as you can see, I login from a remote PC to the domain,
> but
> the logon shows the client IP as 127.0.0.1
>
> Authentication Ticket Granted:
> User Name: Administrator
> Supplied Realm Name: ALTDOMAIN
> User ID: %{S-1-5-21-1390850448-2335789268-393128203-500}
> Service Name: krbtgt
> Service ID: %{S-1-5-21-1390850448-2335789268-393128203-502}
> Ticket Options: 0x40810010
> Ticket Encryption Type: 0x17
> Pre-Authentication Type: 2
> Client Address: 127.0.0.1
>
> "Ronald" wrote:
>
>> Hi All,
>> not sure if you come across this problem.
>>
>> I have a domain with 8 members servers. Apparently we had turn on
>> security
>> audit for successful logon as well.
>>
>> The problem is user name, server name etc are correctly captured in the
>> event log(Security( but it does not capture the correct IP of the remote
>> host
>> that login to the domain. The IP shown in the log is 127.0.0.1(local host
>> address). Can anyone help and advise any settings that I have miss out?
>>
>> Regards
>> Ronald
>>