cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dancarman74
Engaged Sweeper II
Hello all,

I'm having an issue with a program called splunk along with lansweeper. We are currently getting upwards of 100,000+ event triggers caused by our lansweeper account evidently trying to login to a few servers. An example of one of the splunk alerts follows:

Jul 8 09:54:17 <IP Address> Jul 8 13:54:13 SEC02 ossec: Alert Level: 3; Rule: 18107 - Windows Logon Success.; Location: (<Azure Server 2>) any->WinEvtLog; user: <Lansweeper account>; 2020 Jul 08 09:54:10 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: <Lansweeper account>: <Company Name>: <azure server 2. company name.com>: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-21-796845957-1078145449-725345543-35416 Account Name: <Lansweeper Account> Account Domain: <company name> Logon ID: 0xe4bfe94 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: <Lansweeper Server> Source Network Address:<IP Address> Source Port: <port> Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128


This is one of 3 nearly identical emails received in the same millisecond. Additionally, when I try to scan the servers in question on the Lansweeper console I get this error message:

ActiveDirectory_DomainService Event 1481 Directory Service <company name>\<Lansweeper account name> 07/09/2020 12:06:11

Internal error: The operation on the object failed.

Additional Data
Error value:
2 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
''


For security reasons I have not attached errorlog.txt yet.

I have a ticket in with Lansweeper support, but have not heard back from them yet. This is a pressing issue, so I'm coming to the forums with it.
1 REPLY 1
FrankSc
Lansweeper Tech Support
Lansweeper Tech Support
Hi,

As also answered in the ticket you created, we don't expect these types of alerts to be generated by Lansweeper. To isolate this you could change the password for this account in Lansweeper only, this could clarify the origin of the alerts.