High number of failed logon from a user-id by windows servers.
Hello,
While analysing reports relevant to faild logon from user-id in the window plateform, we get a high number of failed logon attempts from user-id finished by $ sign (5980 attempts in hour basis), these user-ids does not represnt a valid user-id, do you have any explication for this kind of events.
I have another question related TACACs server, i add two Tacacs servers to be monitored by envision, the first one, i get events and reports correctly, while for the other server, i receive relevant events in the didacetd ftp directory but i can't found this server in the managed devices, i did not find any relevant events for this server in reports.
The usernames with the $ are typically Windows service or system accounts as opposed to standard user accounts.
Second question:
Are you saying that the files are being FTP'ed into the ftp_files folder for that device but then the filereader never reads them, or are you saying the filereader picks them up but then the device is never discovered?
What Windows event are you alerting on? We use the Security 529 message, but set the threshold fairly high to prevent nuisance alerts. We see few or no system or machine accounts (those with a trailing $). 529 can be a noisy event so use this with caution.
