Loopback address in events instead of IP/hostname

Article:TECH123263  |  Created: 2010-01-16  |  Updated: 2010-01-27  |  Article URL http://www.symantec.com/docs/TECH123263
Article Type
Technical Solution


You have the loopback address ( in the "Collection Device IP" and "IP Source Address" fields instead of the real IP

The onboard Microsoft Windows Event Collector v4.3.30  is giving back the loopback address instead of the real IP, when the values are missing in the sensor configuration.


There is some changes for the mechanism how event collector define IP address from the windows machine. Name resolution has been taken in part of the definition and it will depend on how local sensor is configured within the event collector. For example, if event collector is installed on machine A with sensors configured to collect events from machine A, B and C. To avoid source/destination ip address to show as, Monitored Host Name for local sensor (machine A) must not be "localhost" or "" but the actual hostname of the machine A. You will also need to input "Account Name" and "Password" (cannot leave blank)


This was addressed with a LiveUpdate for Microsoft Windows Event Collector v4.3.30, released March, 2010

Supplemental Materials


Legacy ID


Article URL http://www.symantec.com/docs/TECH123263

Terms of use for this information are found in Legal Notices