Video Screencast Help

Need some help confirming something...

Created: 18 Jan 2013 | 8 comments

Can I get a couple users of either the "Snare for Windows Event Collector" or the "Microsoft Vista and Microsoft Windows Server 2008 Event Collector" to confirm something for me?  After a full day of working in the office, could you to run the query below on your own userid and tell me if you have any events that day with your actual workstation's IP address in the IP Source Address field (or any of the normalized fields for that matter).  All I see is the actual server IP addresses in this field. Obviously you will need to change the product to the correct Windows collector and enter your username.

(Mechanisms contains Login AND Product = Snare for Windows Event Collector AND (Windows User Name contains <enter your username> OR User Name contains <enter your username>))

Comments 8 CommentsJump to latest comment

Avkash K's picture

Can you please elaborate, what exactly you are looking for?

Do you want the actual client IP in login events??

Are you checking out AD logs??

If you are cheking DC logs then it depends on your DC, how and what your logs the events in details.

Regards,

Avkash K

mathell's picture

Hi Avkash,

I am looking for some folks to run the query I provided and let me know if they see their workstation IP address in the IP Source Address column of any of the windows events that are returned for the entire day.  I don't see any and I want to confirm it isn't just my environment.  I'm trying to keep it simple for now, but you can probably guess what my concern is. If you have an opportunity it would be appreciated.

Avkash K's picture

As far as i know, as per my DC logging, i am not able to see my actual IP address in IP Source address field of login events---> as this is DC (Domain Account) login.

But whenever user does the RDP login to any particular server or desktop--> actual source IP got captured in IP Source address field.

 

Regards,

Avkash K

mathell's picture

Thanks for checking Avkash.  

A couple of clarifying questions. Which collector? Do you receive events from servers as well (not just domain controllers)?  Also Windows 2003, 2008 or both?

mathell's picture

BUMP.  Is there anyone else that would be willing to run this query.  

Avkash K's picture

Yup this check is for all windows related logs. Servers as well. and for 2003 & 2008 also.

Regards,

Avkash K

mathell's picture

okay , thanks.  And you're using Snare to collect the events or the other Windows collector?

Avkash K's picture

I am using Windows Event Collector.

Regards,

Avkash K