Performance Monitor Error Logons

Question

Hi together

I have a question about the Performance Monitor. We have a server (Windows 2019 Standard) that we are monitoring. This server has an huge amount of Logon Errors that will show up in the Performance Monitor and in Nagios. (Rebooting Server, after 3 hours we have arount 3000 Logon Errors)

Unfortunatly we see only 1 Entry (ID:4625) in the Event Viewer (Security) and nothing more.

Where did the Peformance Monitor take the Logon Errors from and is there a way that we can find out wich source/system is causing the logon errors?

Thank you for your help.

Best regards,
Florian

Answer 1

Hi there,

Event ID 4625 (viewed in Windows Event Viewer) documents every failed attempt at logging on to a local computer. This event is generated on the computer from where the logon attempt was made. A related event, Event ID 4624 documents successful logons.

Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

If you cannot find the SID and still need to know the source of the log-on errors, I would suggest you use the Sysmon.

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. You can get the tool from here https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 2

Hi @Limitless Technology

Thank you for your feedback. Will try to get some more information with the "Sysmon" and getting back with feedback soon.

Best regards,
Florian