How do I find where Failed Logons originate? :

How do I find where Failed Logons originate? Print

Created by: Robert Siegmund

Modified on: Thu, Feb 20, 2020 at 10:42 AM

If the Alert on Excessive Logon Failures monitor or the Logon Reporting monitor indicates failed logon attempts, it may be helpful to determine the source of those logon attempts. Network logons (or Type 3 logons) can come from anywhere and they will all be logged on the computer's Event Viewer.

On the computer that is showing repeated failed logons, open the Event Viewer's Security logs and filter for Event Id: #4625. Each entry shown is a failed logon attempt. Double-click a log to view it:

The event will display the IP address and, when available, computer name of the machine that attempted to logon to this computer.

With the release of Third Wall version 2.5.0.2, the Alert on Excessive Logon Failure policy ticket will list the logon names that caused the alert to occur.

Robert is the author of this solution article.

Did you find it helpful? Yes No

How do I find where Failed Logons originate? Print

Related Articles