Lots of FAILURE AUDIT: an account failed to log on entires in Security Log
7,394
On the login source system 'QDMNT140' use netstat -ano | findstr 3973 to see which process has the matching source port '3973' open. Replace 3973 with whatever the port changes to if it's not static.
Related videos on Youtube
08 : 30
Audit Configuration Login, Login Failure
![Database Level Auditing with SQL Server 2012 [HD]](https://i.ytimg.com/vi/bW80U9_Jdsw/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLCi_degVg-tK98HwgIEwX659a0ceA)
14 : 13
Database Level Auditing with SQL Server 2012 [HD]
11 : 52
How to Configuring Audit Policies on Windows Server 2016
05 : 40
Sửa lỗi login failed for user 'administrator' 18456
02 : 10
DevOps & SysAdmins: Lots of FAILURE AUDIT: an account failed to log on entires in Security Log
Author by
Param
Updated on September 18, 2022Comments
-
Param over 1 year
I have received lots of failure audits on my server. From the log, I have identified the particular machine that is the culprit. How can I identify which process is sending the login request?
Do you have any idea how to find out?
Below is the detail of the log.
Security log on \QKSRVDC212:
[2465151] Microsoft-Windows-Security-Auditing Type: FAILURE AUDIT Computer: QKSRVDC212.Corp.abc.com Time: 7/26/2012 9:31:00 AM ID: 4625 An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Quality Account Domain: QDMNT140 Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: QDMNT140 Source Network Address: 10.1.1.185 Source Port: 3973 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0