Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

UserLogon / UserLogoff spam

I have been making an effort to get our LEM/SEM logs in order so we can start shaping and alerting the information it is giving us.  One problem I have run into is we are getting a huge number of UserLogon and UserLogoff events under both "Local Account Authentication/Changes" and "User Logons" under "Authentication".  I will see 3 or 4 copies of the same log hit SEM for the same user on the same remote server with the only difference ever being a slight change between DestinationLogonID.  I will attach a redacted example of a logon and logoff to this thread as an example. 

How do you all deal with the constant logon/logoff events while still staying PCI or HIPAA compliant?

Labels (2)
2 Replies
Level 8

Signal boosting this question. I know it's a slightly older post, but I'm having the same issue. Usually it's with exchange or our DCs. We only have around 100 people in our company, but we can hit 9999+ logs in a matter of minutes with this logon/logoff spam. Any ideas on how to clean it up?



0 Kudos

For future reference for anyone else having this problem. I contacted Solarwinds Support and they informed me that there wasn't anyway for SEM to pick and choose which user logons come in so they need to be mitigated at the source. They also included this link to a best practice article:

Success Center

Hopefully this helps the next person.

0 Kudos