Windows account used by nodes.

Hello and welcome take a look at this KB should help

List nodes on Manage Windows Credentials (solarwinds.com)

Hey, thanks for the reply. I fell at the first hurdle .!

getting this when i execute the copied and pasted query. 

SELECT TOP 1000 * FROM [dbo].[Credential] 

Msg 208, Level 16, State 1, Line 1
Invalid object name 'dbo.Credential'.

I'm getting confused here. If I go onto the solarwinds box and check evnt log security

A logon was attempted using explicit credentials.

Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x8D30A1511
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: I<Service account>
Account Domain: group1
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: server1.domain.com
Additional Information: server1.domain.com

Process Information:
Process ID: 0x9164
Process Name: C:\Program Files (x86)\Common Files\SolarWinds\JobEngine.v2\SWJobEngineWorker2.exe

From the above, I assumed solarwinds is connecting to Server1 using <service-account.>

But when I check server1 node settings. Its only using SNMP,  not WMI & nowhere in the settings does it specify the <service account>.. What am i missing ?

Do you have any application monitoring against server1 that use that service account?

yeah, but struggling to find where the credentials go.

When viewing the application in orion press "edit application montitoring" (if button does not exist you are not SAM admin)

In there, expand the component configuration and look for "Credential for moniotirng". Each type of component can differ in how it looks.

The credential name here is not the same as for nodes. You find them under Settings/all settings/ sam settings /credential library

Ah, got it. Lookslike its using hte credential specified on the template. I gues I just need to update the template with the new service account and if it inherits from template , that should be it.

Thanks again.

Hi Joe,

We can create a report for which node monitoring with service account. Kindly create a report used the below SQL query. Please find the below details. you can easily identified the service accounts. 

Select Nodes.IP_Address, Nodes.Caption, Nodes.Domain_name, Nodes.Node_type, Nodes.status, Credential.Name from Credential

inner join NodeSettings on Credential.ID=NodeSettings.SettingValue

inner join Nodes on NodeSettings.NodeID=Nodes.NodeID

where NodeSettings.SettingName='WMICredential'

Regards. 

IT looks like the WMIcredentail uses another account. The application components list the correct account i am interested in. That reports shows me other service accounts for the nodes. (if that makes sense)

Managed to get this which does the job

SELECT n.NodeID, n.Caption as Node, a.ID as ApplicationID, a.Name as [Application], c.ID as ComponentId, c.Name as Component,
cts.Value as TemplateCredId, cs.[Value] as OverridenCredId, cred.Name as CredName
FROM APM_Component c
INNER JOIN APM_Application a ON c.ApplicationID = a.ID
INNER JOIN Nodes n ON a.NodeID = n.NodeID
LEFT JOIN APM_ComponentSetting cs ON cs.ComponentID = c.ID AND cs.[Key] = '__CredentialSetId'
LEFT JOIN APM_ComponentTemplate ct ON ct.ID = c.TemplateID
LEFT JOIN APM_ComponentTemplateSetting cts ON cts.ComponentTemplateID = ct.ID AND cts.[Key] = '__CredentialSetId'
LEFT JOIN [Credential] cred ON cred.ID = ISNULL(cs.Value, cts.Value)
WHERE Cred.Name IS NOT NULL

Yes Correct this job is good. looks like we are able to see the all application credentials in console. 

Thanks Joeshmoe. 

You're seeing this event in the Windows Security logs of your Orion application server specifically because the "SolarWinds Job Engine v2" service is running as "Local System" account.

This is different from the credentials that would be used to actually monitor nodes or applications, which is what the previously references queries will show you. (That's still a very useful query to keep handy!)

Per Microsoft's documentation (4648(S) A logon was attempted using explicit credentials. (Windows 10) - Windows security | Microsoft Docs) this is normally logged as a part of normal operations. 

"This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.

"This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.

"It is also a routine event which periodically occurs during normal operating system activity."

Hope this helps answer your question!

You're seeing this event in the Windows Security logs of your Orion application server specifically because the "SolarWinds Job Engine v2" service is running as "Local System" account.

This is different from the credentials that would be used to actually monitor nodes or applications, which is what the previously references queries will show you. (That's still a very useful query to keep handy!)

Per Microsoft's documentation (4648(S) A logon was attempted using explicit credentials. (Windows 10) - Windows security | Microsoft Docs) this is normally logged as a part of normal operations. 

"This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.

"This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.

"It is also a routine event which periodically occurs during normal operating system activity."

Hope this helps answer your question!