Vidéos d'aide de Screencast

Need some help confirming something...

Created: 18 Janv. 2013 | 8 comments

Can I get a couple users of either the "Snare for Windows Event Collector" or the "Microsoft Vista and Microsoft Windows Server 2008 Event Collector" to confirm something for me?  After a full day of working in the office, could you to run the query below on your own userid and tell me if you have any events that day with your actual workstation's IP address in the IP Source Address field (or any of the normalized fields for that matter).  All I see is the actual server IP addresses in this field. Obviously you will need to change the product to the correct Windows collector and enter your username.

(Mechanisms contains Login AND Product = Snare for Windows Event Collector AND (Windows User Name contains <enter your username> OR User Name contains <enter your username>))

Commentaires CommentairesAccéder au dernier commentaire

l'image des Avkash K

Can you please elaborate, what exactly you are looking for?

Do you want the actual client IP in login events??

Are you checking out AD logs??

If you are cheking DC logs then it depends on your DC, how and what your logs the events in details.

Regards,

Avkash K

l'image des mathell

Hi Avkash,

I am looking for some folks to run the query I provided and let me know if they see their workstation IP address in the IP Source Address column of any of the windows events that are returned for the entire day.  I don't see any and I want to confirm it isn't just my environment.  I'm trying to keep it simple for now, but you can probably guess what my concern is. If you have an opportunity it would be appreciated.

l'image des Avkash K

As far as i know, as per my DC logging, i am not able to see my actual IP address in IP Source address field of login events---> as this is DC (Domain Account) login.

But whenever user does the RDP login to any particular server or desktop--> actual source IP got captured in IP Source address field.

Regards,

Avkash K

l'image des mathell

Thanks for checking Avkash.  

A couple of clarifying questions. Which collector? Do you receive events from servers as well (not just domain controllers)?  Also Windows 2003, 2008 or both?

l'image des mathell

BUMP.  Is there anyone else that would be willing to run this query.  

l'image des Avkash K

Yup this check is for all windows related logs. Servers as well. and for 2003 & 2008 also.

Regards,

Avkash K

l'image des mathell

okay , thanks.  And you're using Snare to collect the events or the other Windows collector?

l'image des Avkash K

I am using Windows Event Collector.

Regards,

Avkash K