2 Replies Latest reply on Feb 5, 2015 8:37 AM by turanascioglu

    Some fields in source event are not logged


      Event-contents from the domain controller is not completely logged.


      For instance, here is an event as generated on the domain controller:


      Network Policy Server granted full access to a user because the host met the defined health policy.



                     Security ID:                                         PXLPERS\20002706

                     Account Name:                                  20002706@pxl.be

                     Account Domain:                               PXLPERS

                     Fully Qualified Account Name:          PERS.PXL.LOCAL/Personeel/Turan Ascioglu


      Client Machine:

                     Security ID:                                         NULL SID

                     Account Name:                                  -

                     Fully Qualified Account Name:          -

                     OS-Version:                                         -

                     Called Station Identifier:                     000B860306A0

                     Calling Station Identifier:                    A0A8CD875023



                     NAS IPv4 Address:     

                     NAS IPv6 Address:               -

                     NAS Identifier:                          

                     NAS Port-Type:                                   Wireless - IEEE 802.11

                     NAS Port:                                            0


      RADIUS Client:

                     Client Friendly Name:                         controller240

                     Client IP Address:                     


      Authentication Details:

                     Connection Request Policy Name:     802.1X and Captive Portal

                     Network Policy Name:                       802.1X and Captive Portal Docenten Wireless

                     Authentication Provider:                    Windows

                     Authentication Server:                        PXLDC1.PXL.LOCAL

                     Authentication Type:                          PEAP

                     EAP Type:                                           Microsoft: Secured password (EAP-MSCHAP v2)

                     Account Session Identifier:                  -


      Quarantine Information:

                     Result:                                                 Full Access

                     Extended-Result:                                 -

                     Session Identifier:                                -

                     Help URL:                                           -

                     System Health Validator Result(s):     -


      Mind the part in RED.


      Now, compare this to the event as seen by LEM.


      2015-02-05 11_22_11-SolarWinds Log & Event Manager.jpg


      This event is logged by the Network Policy server whenever a user authenticates through 802.1x on a Wifi or wired connection. In the source event (red part) I can see the Radius-client (controller, access point or switch) that initiates the peap authentication (

      However in the event in LEM, nothing is mentioned about the radius client.


      This is just an example. I an image a lot of other (maybe) usefull data that is lost.


      Is this normal behaviour or can I do something to fix this issue?


      Thanks in advance.