Security Log in Event Viewer does not store IPs

Solution 1

Can someone please tell me why the Security Log doesn't know the IP address of people trying to log in and failing?

Here is the cause for something like Remote Desktop.

http://cyberarms.net/security-insights/security-lab/remote-desktop-logging-of-ip-address-%28security-event-log-4625%29.aspx

There is no option in Windows to enable or disable the logging of IP address, at least not to my knowledge.

For Remote Desktop I discovered that going into "Remote Desktop Session Host Configuration" and changing the RDP-TCP connection to have the security layer of "RDP Security Layer" instead of "Negotiate" or "SSL (TLS 1.0)" brought back the IP addresses.

Whether you really want to do this is another question for you, "If you select RDP Security Layer, you cannot use Network Level Authentication."

Solution 2

IP addresses not being present in Windows logs isn't all that uncommon, especially if (for example), the failures are coming from a service, like IIS and you only have "basic" level logging for IIS... or SMTP and you have "basic" level logging for SMTP, etc.

Not the way I'd set my logging defaults if Windows was my OS, but Gates never asked for my input. I'd suggest adjusting your logging levels (and expanding the max log file sizes) and seeing if that doesn't resolve the problem. It's not that Windows doesn't know the source IP, but that the logging level is set such that it's not recording that information. (And, for whatever it’s worth, setting the logging level to something useful is one of the first steps I undertake on a new Windows server or server template.)

Solution 3

Similar to what HopelessN00b said, the most likely reason why you don't see this information is because the audit failure are generated by a service on behalf of the user. So the user isn't authenticating directly (as he or she would when logging into Windows for example), but through some other service like IIS, SQL, etc. You would then have to parse the logs of those services to find out the IP address.

Now, if the authentication is directly through Windows, then you should usually see the IP address, or 127.0.0.1 if it's coming from the local machine.

There is no option in Windows to enable or disable the logging of IP address, at least not to my knowledge. So, there is no real logging "level". You either enable a logging category, or not. The only thing you can configure is whether to log audit failures and/or audit success events (maybe see this article: http://blogs.technet.com/b/askds/archive/2007/10/19/introducing-auditing-changes-in-windows-2008.aspx).

BTW, there are lots of free products out there which monitor the event logs (e.g. we develop EventSentry), it's usually much easier to just use that rather than write your own (unless you do it as an exercise of course :-) ).

Hope this helps.

Related videos on Youtube

09 : 40

Security Analytics and Logging SaaS Event Viewer Configuration

Cisco Secure Firewall

203

08 : 00

How To Use The Windows Event Viewer For Cyber Security Audit

Jon Good

42

17 : 49

How to Use Event Viewer to review Cyber Security Logs

Ian Trimble

37

05 : 31

( Event Viewer ) Event ID 4624 - See Who and When Logged Into My Computer

microsoft lab

12

02 : 54

DevOps & SysAdmins: Security Log in Event Viewer does not store IPs (5 Solutions!!)

Roel Van de Paar

0

Author by

Thanh Thái

Updated on September 18, 2022