Loopback address in events instead of IP/hostname
|Article:TECH123263|||||Created: 2010-01-16|||||Updated: 2010-01-27|||||Article URL http://www.symantec.com/docs/TECH123263|
You have the loopback address (127.0.0.1) in the "Collection Device IP" and "IP Source Address" fields instead of the real IP
The onboard Microsoft Windows Event Collector v4.3.30 is giving back the loopback address instead of the real IP, when the values are missing in the sensor configuration.
There is some changes for the mechanism how event collector define IP address from the windows machine. Name resolution has been taken in part of the definition and it will depend on how local sensor is configured within the event collector. For example, if event collector is installed on machine A with sensors configured to collect events from machine A, B and C. To avoid source/destination ip address to show as 127.0.0.1, Monitored Host Name for local sensor (machine A) must not be "localhost" or "127.0.0.1" but the actual hostname of the machine A. You will also need to input "Account Name" and "Password" (cannot leave blank)
This was addressed with a LiveUpdate for Microsoft Windows Event Collector v4.3.30, released March, 2010
Article URL http://www.symantec.com/docs/TECH123263