[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BBWin Messages | Filter Security

To: hobbit (at) hswn.dk
Subject: BBWin Messages | Filter Security
From: MFisher (at) hra.com
Date: Tue, 14 Apr 2009 08:43:58 -0700


Hi

For the life of me i cant figure out how to block certain 529 windows
security failure errors for specific users. In the documentation it states
to use the "USER" attribute but this only works if the user is mentioned in
the user field of the error log. If it mentions "NT AUTHORITY\SYSTEM", is
it not possible to restrict it based on the user?

Example:

security: failure - 2009/04/13 17:40:55 - Security (529) - NT
AUTHORITY\SYSTEM
 "Logon Failure: Reason: Unknown user name or bad password User Name:
John1234
 Domain: CONTOSO Logon Type: 3 Logon Process: NtLmSsp Authentication
Package:
 NTLM Workstation Name: \\123.45.67.89 Caller User Name: - Caller Domain: -
Caller
 Logon ID: - Caller Process ID: - Transited

The username is "NT AUTHORITY\SYSTEM" but the actualy user is "John1234"..

Anybody have and ideas? I dont want to block "NT AUTHORITY\SYSTEM".

Follow-Ups:
- Re: [hobbit] BBWin Messages | Filter Security
  - From: MFisher

Prev by Date: RE: [hobbit] Troubleshooting Alerts -- Having Problems
Next by Date: RE: [hobbit] Troubleshooting Alerts -- Having Problems
Previous by thread: Re: [hobbit] Hobbit client for RHEL5
Next by thread: Re: [hobbit] BBWin Messages | Filter Security
Index(es):
- Date
- Thread