2 Replies Latest reply on Feb 5, 2015 8:37 AM by turanascioglu

    Some fields in source event are not logged

    turanascioglu

      Event-contents from the domain controller is not completely logged.

       

      For instance, here is an event as generated on the domain controller:

       

      Network Policy Server granted full access to a user because the host met the defined health policy.

       

      User:

                     Security ID:                                         PXLPERS\20002706

                     Account Name:                                  20002706@pxl.be

                     Account Domain:                               PXLPERS

                     Fully Qualified Account Name:          PERS.PXL.LOCAL/Personeel/Turan Ascioglu

       

      Client Machine:

                     Security ID:                                         NULL SID

                     Account Name:                                  -

                     Fully Qualified Account Name:          -

                     OS-Version:                                         -

                     Called Station Identifier:                     000B860306A0

                     Calling Station Identifier:                    A0A8CD875023

       

      NAS:

                     NAS IPv4 Address:               192.168.251.240

                     NAS IPv6 Address:               -

                     NAS Identifier:                                    192.168.251.240

                     NAS Port-Type:                                   Wireless - IEEE 802.11

                     NAS Port:                                            0

       

      RADIUS Client:

                     Client Friendly Name:                         controller240

                     Client IP Address:                               192.168.251.240

       

      Authentication Details:

                     Connection Request Policy Name:     802.1X and Captive Portal

                     Network Policy Name:                       802.1X and Captive Portal Docenten Wireless

                     Authentication Provider:                    Windows

                     Authentication Server:                        PXLDC1.PXL.LOCAL

                     Authentication Type:                          PEAP

                     EAP Type:                                           Microsoft: Secured password (EAP-MSCHAP v2)

                     Account Session Identifier:                  -

       

      Quarantine Information:

                     Result:                                                 Full Access

                     Extended-Result:                                 -

                     Session Identifier:                                -

                     Help URL:                                           -

                     System Health Validator Result(s):     -

       

      Mind the part in RED.

       

      Now, compare this to the event as seen by LEM.

       

      2015-02-05 11_22_11-SolarWinds Log & Event Manager.jpg

       

      This event is logged by the Network Policy server whenever a user authenticates through 802.1x on a Wifi or wired connection. In the source event (red part) I can see the Radius-client (controller, access point or switch) that initiates the peap authentication (192.168.254.240).

      However in the event in LEM, nothing is mentioned about the radius client.

       

      This is just an example. I an image a lot of other (maybe) usefull data that is lost.

       

      Is this normal behaviour or can I do something to fix this issue?

       

      Thanks in advance.

       

      Turan