none
How to include the hostname of the device in an DC's event log?

    Question

  • I work in the security team for my company and we often get authentication failures from users that we parse through our SEIM. currently an event log coming from the domain controller looks like this (some info has been modified): 

    Account Information:

    Account Name: user@CORP.LOCAL

    Account Domain: CORP.LOCAL

    Logon GUID: {#xx##x##-####-####-x#x#-##xx#x#x#xx#}

    Service Information:

    Service Name: CORPDC$

    Service ID: CORP_AD\CORPDC$

    Network Information:

    Client Address: ::ffff:###.##.##.##

    Client Port: 60466

    Additional Information:

    Ticket Options: 0x40800000

    Ticket Encryption Type: 0x12

    Failure Code: 0x0

    Transited Services: -

    However there's no hostname listed in the log data, and in other instances I have see something along the lines of "Caller Computer Name:" that will identify the hostname in the log. Many of our devices are set to DHCP, so simply having the IP isn't always the most efficient route. Is this a simple auditing policy that needs to be changed, or something else? I'm not a DC admin, but I'd like to pass the information onto them.

    Thank you in advance!

    Thursday, February 23, 2017 8:14 PM

Answers

  • AFAIK you can not change what is built in. I mean if that event ID has no column for Host-name, I do not believe that you can tweak the event viewer to somehow show the caller computer name. Either you should use another event or do something else like translating the IP to Host-name which requires you to have Reverse Lookup Zones in your DNS. 

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.


    Friday, February 24, 2017 4:14 AM
    Moderator

All replies

  • AFAIK you can not change what is built in. I mean if that event ID has no column for Host-name, I do not believe that you can tweak the event viewer to somehow show the caller computer name. Either you should use another event or do something else like translating the IP to Host-name which requires you to have Reverse Lookup Zones in your DNS. 

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.


    Friday, February 24, 2017 4:14 AM
    Moderator
  • Hi,

    Are there any feedbacks?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 27, 2017 3:43 PM
    Moderator