Search Knowledge Base

RELATED LINKS • LogClarity® Solution Overview • LogClarity® Domain Controller Edition • LogClarity® Database Edition • LogClarity® Server Edition • LogClarity® Syslog Edition

KB ID:	10013
Last Revision:	November 26, 2006
Version:	1.0

Search:  Search logons by IP Address.

The primary logons and failed logons to a computer are logged as:

• Successful Logon (ID: 528)
• Logon Failure (ID: 529)
• Service Ticket Request (ID: 673)
• Pre-authentication Failed (ID: 675)

On top of Successful Logons (ID: 528), logons to remote machines might be logged as a Service Ticket Request (ID: 673).  Service Ticket Requests are more accurate when using Log Fidelity's solution because domain controllers log multiple identical Service Ticket Requests during the entire session when the user is logged on, but Log Fidelity's solution filters out all the multiple Service Ticket Requests and only logs one Service Ticket Request when the logon actually happens.  The only difference between Successful Logons and Service Ticket Requests is that the IP logged by a Successful Logon sometimes contains the IP address of the remote computer if the user is logging in remotely via Terminal Service (aka Remote Desktop) whereas the IP logged in the Service Ticket Request is always the IP Address of the computer being logged onto.

On top of Logon Failures (ID: 529), failed logons to remote machines might be logged as a Pre-authentication Failed (ID: 675).  The difference between Logon Failures and Pre-authentication Failures is that the IP logged by a Logon Failures sometimes contains the IP address of the remote computer if the user is logging in remotely via Terminal Service (aka Remote Desktop) whereas the IP logged in the Pre-authentication Failures is always the IP Address of the computer being logged onto.  The name of the computer being logged onto isn't logged, but should be easily attainable with the IP Address in the log.   

PREREQUISITES

The IP Address of the computer.

ESTIMATED QUERY TIME

>1 second.

METHOD 1 (Quick Search)

1.  Enter the IP Address in the Quick Search field and click Go.

METHOD 2 (Advanced Search)

1.  Enter the IP Address in the IP Address field and click Submit.

LIKELY SCENARIOS IT APPLIES TO

• When investigating an incident, sometimes the only information you have is the IP Address of the computer that has been the source of unwanted network activity.  You want to find out who was logged on during the incident.

FINE TUNE YOUR SEARCH

If you know the time scope, domain of the computers, or want to restrict your searches to users in a specific domain you can fine tune your search.