This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

many many of event (Logon Failure "\" ) received from windows in SEM!!

Hi 

we received thousands events from DNS server ( Logon Failure "\" ),
but we cant solve or understand this problem, so we need to solve or ignore it  or understand the reason,

Parents
  • What kind of DNS Server is this? Windows?

     If so, this is the windows security event log, from there you should see where the login is originating. If this is always the same IP, check that server if there are some services/tasks that are configured with wrong credentials.

  • Yes , it is windows server DNS.

    It is always from the same IP, We tried to format and reinstall the DNS server ,but the same event appeared again.

    In event viewer it the account = -, and machine =- ,

  • As indicated, this appears to be a simple matter of SEM receiving log data from this source server, which happens to be running the DNS role function.

    I suggest you review the Windows events on the source server to confirm the original log event messages are the same as you are seeing in SEM. They will be, but best to check.

    It is a case of determining what is creating these log entries, which you indicate is the DNS Server role application. Google (or your preferred engine) the Event ID error. Trace the source server to determine if there is a rogue app or DNS secondary server trying to make updates with the wrong credentials.

    Your Group Policy Audit settings are configured to determine what events generate log entries, and therefore what you see in SEM, so review if you are over logging.

    GL

  • Mine are windows machines.  I wonder if the fact that they're STIG'd has anything to do with it?

    Bill

Reply Children
No Data