IpAddress missing in logon event(event ID 4624) when client logon exchange server using POP3 or IMAP
Hi, I am trying to monitor client logon events on exchange server. The problem that I have is that when client access exchange via POP3 or IMAP, event ID 4624 doesn't have the client's IP address. I asked exchange monitoring forum and they pointed me to an exchange update that is supposed to generate event ID 2104 with similar information. I tried that but it didn't work out. The thread is: http://social.technet.microsoft.com/Forums/en-US/exchangesvrmonitoring/thread/ab7a16ba-133f-4383-9369-9ac4668d45aa Can someone in this forum help me to see why 4624 doesn't have IP address or why 2104 is not generated in my security log. Thanks, Felix
June 8th, 2011 1:41pm

The lack of an IP address in 4624 is probably because of two things: All versions of Exchange and Windows have supported multiple, very different, network protocols, and historically there was no coherent way to "just get the network address as a text snippet for logging" across all those protocols. Throw in the fact that this event is probably also logged when a service on the Echnage server itself (such as some backup agents) accesses an account, and whomever designed event 4624 many years ago probably just decided it would be too difficult to do this. (Note that because you must be able to view events logged by a previous version after upgrading, it is not possible to add data items to a message without changing the event number).On many networks, the assigned network addresses change so often they are not useful by the time someone reads the event log. This includes IPv4 with DHCP lifetimes less than 4 days (addresses change over the weekend), IPv6 with randomized identifiers or privacy extensions enabled (the default), all manner of "dial up" networking, including PPTP VPN access and the IP addresses assigned to smartphones by phone companies. Evil computer attackers since the 1980s have been hiding their own network addresses by passing their traffic through multiple already attacked unimportant computers. So the designer of message 4624 probably concluded that logging the network address would be less useful than logging the user name that was confirmed by the login. Unfortunately you haven't said if the message numbers you give are in the "audit", "System" or "Application log" or which component is indicated as the "message source" (each "message source" has its own meaning for message numbers, a message number without the "message source" is like a computer name without the domain), which may be the reason noone else has had any answer yet.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 5:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics