Jump to content

Logs in automate show multiple failed logins that don't exist in original event logs

Recommended Posts

We're seeing some strange behaviour with the EV - Failed Logins monitor.

Frequently, the monitor will alert multiple failed logins on a machine. If I check the logs in automate I can see multiple failed login events (4625) happening at precisely the same second. However, when I check in event viewer on the original machine, only one or two events are logged.

This is causing many seemingly false positives as we're alerted for (for arguments sake) 40 failed logins, where the original event viewer on the machine will only have one or two. When queried, the user will report they typed their password in wrong a couple of times lending credence to event log over automate.

Has anyone seen similar behaviour? If so, did you find a solution? I don't want to ignore these alerts as they are useful (or would be if they were reliable).

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...