Incorrect user logging, or, should I ignore the "Anonymous Logon" account?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
I'm seeing client machines connecting to my Exchange server with the ANONYMOUS LOGON account on a MAPI port, and moving large amounts of data. A little shock there.

I backed off the filter in LG and looked at the IPs only. I discovered that LG logs ANONYMOUS intermittently with the user name.

My expectation is that this is due to LG picking ANON up from the event logs at intermittent times, and just going off of the last name/IP pair it sees.

If this is the issue, it would seem to have wider implications. For example, I saw almost a terabyte logged under some low traffic service account. That was pretty startling until I figured out that it was actually my backups running, which run under their own account. So the only issue was that it was logged incorrectly in LG, which I attribute to the event log polling thing I described above.

Make sense? ;-)

So I wonder if there's any way to mitigate this problem. Or, is this just a natural fact of life in LG?

Thanks.
Photo of Terry Hernlund

Terry Hernlund

  • 2 Posts
  • 0 Reply Likes
  • undecided

Posted 5 years ago

  • 1
Photo of Darragh Delaney

Darragh Delaney, Employee

  • 58 Posts
  • 5 Reply Likes
Hi Terry,
There is a facility in the LANGuardian AD setup where you can add 'system' accounts like this.

1. Click on the gear symbol top right
2. Scroll down to the Identity Configuration section and click on 'Configure support for Active Directory identity logging'
3. Click on advanced and then add this account to the 'User accounts to ignore' section

If you have any further queries on this please email support@netfort.com or you can also continue the conversation on this thread

Darragh
Photo of Terry Hernlund

Terry Hernlund

  • 2 Posts
  • 0 Reply Likes
Right. I know about that section. This works for some accounts, but other accounts I can't ignore, and don't want to rename on a per-system basis.

I was wondering if there was any other way to mitigate the issue or multiple accounts being used by a single system. I understand how LG works well enough to know that the *probably* isn't.

I'll probably just have to re-identify all my server traffic, and ignore everything else not user related.

As a related question... when I ignore things under the Identity settings, that traffic is still logged, yes? It just not identified? Or is that traffic dropped?

Are there any cases where LG does drop and not log traffic?
Photo of Darragh Delaney

Darragh Delaney, Employee

  • 58 Posts
  • 5 Reply Likes
Hi Terry,
First up no traffic is dropped by the LANGuardian, everything is logged with source and destination IP addresses together with some MAC info. What we need to do in your case is tune the AD setup to meet your requirements

Happy to set up a support call to discuss the options

Darragh