Server 2003 Event viewer Netlogon5807 alert doesn't register in netlogon.log
Event Viewer in serve 2003 registers a Warning Netlogon ID 5807. The time frame of above event isn't registered in netlogon.log. How do we track down IPs that are tring to access AD that trigers the Netlogon ID 5807 alert?
Thanks in advance.
January 17th, 2012 3:55pm
Hello,
You can stop the netlogon service on DCs and delete the netlogon.log file. See that: http://www.petri.co.il/forums/showthread.php?t=25727
Once done, inspect new logs.
More about this event ID: http://support.microsoft.com/kb/889031
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student
Partner 2010 / 2011
Microsoft Certified
Professional
Microsoft Certified
Systems Administrator: Security
Microsoft Certified
Systems Engineer: Security
Microsoft Certified
Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified
IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2012 3:59pm
follow this kb: http://support.microsoft.com/kb/889031
with reference from above KB:
If you examine the Netlogon.log file on the Windows Server 2003-based domain controller, you may find text entries that are similar to the following in the Netlogon.log file:
07/22 10:02:32 netbios_Domain_Name: NO_CLIENT_SITE: Client_NameClient_IPaddress
07/22 10:02:32 netbios_Domain_Name: NO_CLIENT_SITE: Client_NameClient_IPaddress
07/22 10:03:07 netbios_Domain_Name: NO_CLIENT_SITE: Client_Name Client_IPaddress
Note <var>netbios_Domain_Name</var> is the NetBIOS name of the domain. <var>Client_Name</var> is the name of the client computer. <var>Client_IPaddress</var> is the IP address of the client computer.Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
January 17th, 2012 3:59pm
follow this kb: http://support.microsoft.com/kb/889031
with reference from above KB:
If you examine the Netlogon.log file on the Windows Server 2003-based domain controller, you may find text entries that are similar to the following in the Netlogon.log file:
07/22 10:02:32 netbios_Domain_Name: NO_CLIENT_SITE: Client_NameClient_IPaddress
07/22 10:02:32 netbios_Domain_Name: NO_CLIENT_SITE: Client_NameClient_IPaddress
07/22 10:03:07 netbios_Domain_Name: NO_CLIENT_SITE: Client_Name Client_IPaddress
Note <var>netbios_Domain_Name</var> is the NetBIOS name of the domain. <var>Client_Name</var> is the name of the client computer. <var>Client_IPaddress</var> is the IP address of the client computer.
Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
The link was already provided :)
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student
Partner 2010 / 2011
Microsoft Certified
Professional
Microsoft Certified
Systems Administrator: Security
Microsoft Certified
Systems Engineer: Security
Microsoft Certified
Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified
IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2012 4:15pm
The IP address of the client computer is not defined anywhere: neither in the Netlog alert, nor in the netlogon.log. How can the IP and/or MAC address of the unknown client be determined?. Is an intruder whose IP addresses doesn't map to any
of the existing sites in the enterprise trying to access the Domain Controller? How can an IP on a different subnet be allowed to the DC's subnet?
In Event Viewer, the NETLOGON Event ID 5807 is time stamped at 2:57:44.
The netlogon.log registered events at 14:52:10 and 14:58:40, thus the NETLOGON Event ID from Event Viewer was not logged.
Kindly advise.
January 17th, 2012 6:33pm
The names and IP addresses of the clients in question have been logged on this computer in the following log file
:'SystemRoot\debug\netlogon.log' and, potentially, in the log file :'SystemRoot\debug\netlogon.bak' created if the former log becomes full.
The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text
'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address.
The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize';
the default is 20000000 bytes.
The current maximum size is 20000000 bytes.To set a different maximum size, create the above registry value and set the desired maximum size in bytes.
--------
If u want to track everything on the DC : u can use IDS/IPS which track and keep all the required information (ip address/mac address) u can use
SNORT on the system.
Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
January 18th, 2012 1:48am
Why isn't the IP and subnet of the client that triggers the NETLOGON ID 5807 recorded in
'SystemRoot\debug\netlogon.log' ?
January 19th, 2012 11:08am
Hi,
By default the netlogon service logging is not enabled. we need enable this by using registry or Nltest tool (support tools)
but u can use the help
Enable debug logging (MS Fix Me tool) to enable it.
for Enabling debug logging for the Net Logon service : refer to the KB:
http://support.microsoft.com/kb/109626
and pls refer to the above post to change The maximum size of the log
--------------
FYI
Utility used to query the Netlogon log File is nlparse.exe. It is a GUI tool that comes with ALTools.exe file at
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
nlparse contains the most common Netlogon error codes and stores the output in two files –
%windir%\debug\netlogon - folders: netlogon.log-out.scv and netlogon.log-summaryout.txt
Hope the above information Helps..
Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2012 11:44am
Netlogon.log seems to be enabled, however the NETLOGON 5807 incidents from Event Viewer doesn't register in the log. The Event Viewer's NETLOGON alert time stamp is not registered/not found in the netlogon.log. Thus we are not able to determine
the Ip of client and its subnet mask, which is trying to access active directory. Any Advise would be appreciated.
January 20th, 2012 5:29pm