I have been making an effort to get our LEM/SEM logs in order so we can start shaping and alerting the information it is giving us. One problem I have run into is we are getting a huge number of UserLogon and UserLogoff events under both "Local Account Authentication/Changes" and "User Logons" under "Authentication". I will see 3 or 4 copies of the same log hit SEM for the same user on the same remote server with the only difference ever being a slight change between DestinationLogonID. I will attach a redacted example of a logon and logoff to this thread as an example.
How do you all deal with the constant logon/logoff events while still staying PCI or HIPAA compliant?
Signal boosting this question. I know it's a slightly older post, but I'm having the same issue. Usually it's with exchange or our DCs. We only have around 100 people in our company, but we can hit 9999+ logs in a matter of minutes with this logon/logoff spam. Any ideas on how to clean it up?
For future reference for anyone else having this problem. I contacted Solarwinds Support and they informed me that there wasn't anyway for SEM to pick and choose which user logons come in so they need to be mitigated at the source. They also included this link to a best practice article:
Hopefully this helps the next person.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.