many many of event (Logon Failure "\" ) received from windows in SEM!!


we received thousands events from DNS server ( Logon Failure "\" ),
but we cant solve or understand this problem, so we need to solve or ignore it  or understand the reason,

  • What kind of DNS Server is this? Windows?

     If so, this is the windows security event log, from there you should see where the login is originating. If this is always the same IP, check that server if there are some services/tasks that are configured with wrong credentials.

  • Yes , it is windows server DNS.

    It is always from the same IP, We tried to format and reinstall the DNS server ,but the same event appeared again.

    In event viewer it the account = -, and machine =- ,

  • As indicated, this appears to be a simple matter of SEM receiving log data from this source server, which happens to be running the DNS role function.

    I suggest you review the Windows events on the source server to confirm the original log event messages are the same as you are seeing in SEM. They will be, but best to check.

    It is a case of determining what is creating these log entries, which you indicate is the DNS Server role application. Google (or your preferred engine) the Event ID error. Trace the source server to determine if there is a rogue app or DNS secondary server trying to make updates with the wrong credentials.

    Your Group Policy Audit settings are configured to determine what events generate log entries, and therefore what you see in SEM, so review if you are over logging.


  • I'm getting these too from multiple detection IP's:

    UserLogonFailure Logon Failure "\"

    They're all Kerberos and Logon Process Authz

    Some are webservers and some are sqlservr.exe in extraneous info field.


  • Also the source account always seems to be machine account like something hostname$

  • Mine are windows machines.  I wonder if the fact that they're STIG'd has anything to do with it?