Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Login failures on target VM coming from the machine account of the assigned poller

Morning folks,

A customer we're monitoring is reporting login failures on the 5 VMs we're monitoring, all Server 2019. The SAM template we're using is a Windows 2019 Services&Counters imported from here and it works fine apart from the destination VMs logging login failures just before a successful login. This is identical to this post from over a decade ago: WMI Generating Login Failures for system_name$ - Forum - Server & Application Monitor (SAM) - THWACK (solarwinds.com)

I wondered if it was because we weren't using all the components of a monitor so some of them remained unconfigured with default authentication set to Negotiate. Those components are disabled, but perhaps SAM still polled the component but just binned the response, so I changed all the unused components to use WMI and NTLMDomain and the number of login failures went down.

Then I found this: [INFORMATIONAL] Excessive WMI Logins from NPM - Forum - Network Performance Monitor (NPM) - THWACK (solarwinds.com)

So now I'm wondering if SAM also tries an anon login then the NTLM one before every uptime check. I'm waiting for the customer to get back to me with timings for the login failures but I'm interested if anyone else has seen this problem, particularly since all the mentions on here are from 10+ years ago.

This is on 2023.3.

Cheers
Adrian

Find more posts tagged with

Accepted answers

All comments

jklundy

Review this to see if relevant. Failed logon event when running remote WMI - Windows Client | Microsoft Learn

fop

Ah that's the article I'd been looking for to send to support, nice one for finding it

I knew I'd read it somewhere before while looking for something else not related to this customer. Cheers! Surely I'm not the only one who's seeing this though

jklundy

I don't think you are the only one. I actually found a reference to it on a different monitoring system support pages. I am monitoring ~950 Windows VMs and only a few (less than 10) excessive logging. That is what I really find strange. All of our systems are based on a common gold image, get the same auditing settings via GPO. I'm not doing any unique monitoring, just basic WMI metrics and a few applications (all based on a common template). We have not been able to explain why this small subset of VMs has this symptom.

If you have an AHA moment, please post and share.

Kevin

fop

That's bonkers, though it's reminding me of the last desktop rollout we did a few years ago - 20 HP Elitedesks all with Win10 preinstalled. 14 of them were fine, 6 gave us proper grief with regard to updates and just general oddness. We couldn't explain that either.