Loopback address in events instead of IP/hostname

Article:TECH123263  |  Created: 2010-01-16  |  Updated: 2010-01-27  |  Article URL http://www.symantec.com/docs/TECH123263
Article Type
Technical Solution


Issue



You have the loopback address (127.0.0.1) in the "Collection Device IP" and "IP Source Address" fields instead of the real IP

Symptoms
The onboard Microsoft Windows Event Collector v4.3.30  is giving back the loopback address instead of the real IP, when the values are missing in the sensor configuration.



Cause



There is some changes for the mechanism how event collector define IP address from the windows machine. Name resolution has been taken in part of the definition and it will depend on how local sensor is configured within the event collector. For example, if event collector is installed on machine A with sensors configured to collect events from machine A, B and C. To avoid source/destination ip address to show as 127.0.0.1, Monitored Host Name for local sensor (machine A) must not be "localhost" or "127.0.0.1" but the actual hostname of the machine A. You will also need to input "Account Name" and "Password" (cannot leave blank)

Solution



This was addressed with a LiveUpdate for Microsoft Windows Event Collector v4.3.30, released March, 2010




Supplemental Materials

SourceETrack
Value1967373

Legacy ID



2010021614394354


Article URL http://www.symantec.com/docs/TECH123263


Terms of use for this information are found in Legal Notices