Thousands of entries in Apache access logs for a single IP
We are seeing thousands of connections in our Apache access logs coming from the same IP address connecting to the
same pages with in a short period of time (~5-20 minutes). We see this in Firefox 27, 28, 29, and 30. Below is an example of the entries, and how they loop continuously. I have not been able to reproduce the problem manually, but this happens several times a week, and I see evidence in our logs, and by monitoring the session count in our database, which increase when this happens.
Why is this happening? Is this a bug? I see a bug report filed at https://bugzilla.mozilla.org/show_bug.cgi?id=976878, but I do not see any replies.
xxx.xxx.xxx.xxx - - [18/Jun/2014:16:03:50 -0400] "GET /webapps/login?new_loc=%2Fwebapps%2Fportal%2Fframeset.jsp HTTP/1.1" 302 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0" "-"
xxx.xxx.xxx.xxx - - [18/Jun/2014:16:03:50 -0400] "GET /webapps/login/?new_loc=%2Fwebapps%2Fportal%2Fframeset.jsp HTTP/1.1" 200 1000 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0" "-"
xxx.xxx.xxx.xxx - - [18/Jun/2014:16:03:50 -0400] "GET /webapps/portal/frameset.jsp HTTP/1.1" 200 1160 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0" "-"
xxx.xxx.xxx.xxx - - [18/Jun/2014:16:03:50 -0400] "GET /webapps/login?new_loc=%2Fwebapps%2Fportal%2Fframeset.jsp HTTP/1.1" 302 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0" "-"
xxx.xxx.xxx.xxx - - [18/Jun/2014:16:03:50 -0400] "GET /webapps/login/?new_loc=%2Fwebapps%2Fportal%2Fframeset.jsp HTTP/1.1" 200 1000 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0" "-"
xxx.xxx.xxx.xxx - - [18/Jun/2014:16:03:50 -0400] "GET /webapps/portal/frameset.jsp HTTP/1.1" 200 1160 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0" "-"
Sorry, beyond the scope of this Firefox user support forum.
You could try posting to the Web Development / Standards Evangelism forum at MozillaZine. The helpers over there are more knowledgeable about web site issues with Firefox.
http://forums.mozillazine.org/viewforum.php?f=25
You'll need to register and login to be able to post in that forum.
Or you could add information to that Bug report or create a new Bug report.
Or the appropriate Google Group, linked in the right column of this page after you scroll-down a bit - http://www.mozilla.org/about/forums/
Similar Messages
-
Query apache access logs for Vists, Visit duration
I need help in querying for Vists, Visit duration in mins ..etc from apache access logs. A Visit is considered new if time difference between requests is greater than 60 mins.
ID VISITS VISIT-DURATION-MINS
'Usr-A' 3 112
'Usr-B' 2 34
My data is as below:
ID,TIME-HR-MIN
'Usr-A','01/01/2012 00:45'
'Usr-A','01/01/2012 00:49'
'Usr-A','01/01/2012 00:53'
'Usr-A','01/01/2012 01:04'
'Usr-A','01/01/2012 01:05'
'Usr-A','01/01/2012 01:09'
'Usr-A','01/01/2012 01:10'
'Usr-A','01/01/2012 01:11'
'Usr-A','01/01/2012 01:13'
'Usr-A','01/01/2012 01:14'
'Usr-A','01/01/2012 01:15'
'Usr-A','01/01/2012 02:00'
'Usr-A','01/01/2012 02:01'
'Usr-A','01/01/2012 02:19'
'Usr-A','01/01/2012 03:53'
'Usr-A','01/01/2012 03:59'
'Usr-A','01/01/2012 04:07'
'Usr-A','01/01/2012 04:11'
'Usr-A','01/01/2012 16:30'
'Usr-A','01/01/2012 16:37'
'Usr-A','01/01/2012 16:38'
'Usr-A','01/01/2012 16:39'
'Usr-B','01/01/2012 01:45'
'Usr-B','01/01/2012 01:46'
'Usr-B','01/01/2012 01:48'
'Usr-B','01/01/2012 01:49'
'Usr-B','01/01/2012 01:50'
'Usr-B','01/01/2012 02:07'
'Usr-B','01/01/2012 02:08'
'Usr-B','01/01/2012 02:09'
'Usr-B','01/01/2012 02:10'
'Usr-B','01/01/2012 05:21'
'Usr-B','01/01/2012 05:23'
'Usr-B','01/01/2012 05:30'Hello
I think this gives you what you need, although I think Usr-A has a total of 121 minutes not 112...
with visit as
( select 'Usr-A' id,TO_DATE('01/01/2012 00:45','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 00:49','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 00:53','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 01:04','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 01:05','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 01:09','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 01:10','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 01:11','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 01:13','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 01:14','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 01:15','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 02:00','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 02:01','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 02:19','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 03:53','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 03:59','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 04:07','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 04:11','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 16:30','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 16:37','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 16:38','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-A' id,TO_DATE('01/01/2012 16:39','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-B' id,TO_DATE('01/01/2012 01:45','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-B' id,TO_DATE('01/01/2012 01:46','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-B' id,TO_DATE('01/01/2012 01:48','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-B' id,TO_DATE('01/01/2012 01:49','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-B' id,TO_DATE('01/01/2012 01:50','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-B' id,TO_DATE('01/01/2012 02:07','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-B' id,TO_DATE('01/01/2012 02:08','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-B' id,TO_DATE('01/01/2012 02:09','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-B' id,TO_DATE('01/01/2012 02:10','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-B' id,TO_DATE('01/01/2012 05:21','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-B' id,TO_DATE('01/01/2012 05:23','dd/mm/yyyy hh24:mi') time_hr_min from dual union all
select 'Usr-B' id,TO_DATE('01/01/2012 05:30','dd/mm/yyyy hh24:mi') time_hr_min from dual
SELECT
id,
COUNT(*) num_visits,
SUM(visit_time) total_visit_time
FROM
SELECT
id,
SUM(visit_time) * 60 visit_time
FROM
SELECT
id,
time_hr_min,
visit_time,
MAX(marker)OVER(PARTITION BY id ORDER BY time_hr_min) marker
FROM
( SELECT
id,
time_hr_min,
CASE
WHEN visit_dur > 1
THEN
0
ELSE
visit_dur
END visit_time,
CASE
WHEN rn = 1
THEN
1
WHEN visit_dur > 1
THEN
rn
END marker
FROM
( SELECT
id,
time_hr_min,
ROW_NUMBER() OVER(PARTITION BY id ORDER BY time_hr_min) rn,
(time_hr_min - LAG(time_hr_min) OVER( PARTITION BY
id
ORDER BY
time_hr_min)
) * 24 visit_dur
FROM
visit
GROUP BY
id,
marker
GROUP BY
id
ORDER BY
id
ID NUM_VISITS TOTAL_VISIT_TIME
Usr-A 3 121
Usr-B 2 34
2 rows selected. HTH
David -
ARD Reporting failing and causing thousands of entries in my system.log for my OSX Server clients
I have a small four system network - all running latest version of Mavericks with latest (3.7.1 ARD)
1) OSX Server running File Sharing, DNS, OpenDirectory, Web
2) OSX Server running DNS (secondary), OpenDirectory (secondary)
3) OSX Server - installed but not running any services
4) OSX Client
When using ARD from any of the systems, any attempt to generage an ARD report targeting system #1 or #2 - the ARD report task stops at "Collecting Report Data" and I start seeing: sysinfocachegen[10506]: FSPathMakeRef error = -43 in the system.log that I'm targeting. Currently over 11000 entries in my last log file (rolled over) and am over 8000 already in the log file after my last test.
If I target systems 3 or 4, reporting works fine.
Any ideas what is going on here?I'm getting this error too.
20/5/2014 4:07:56.192 pm sysinfocachegen[27828]: FSPathMakeRef error = -43
20/5/2014 4:07:56.192 pm sysinfocachegen[44825]: FSPathMakeRef error = -43
20/5/2014 4:07:56.192 pm sysinfocachegen[63375]: FSPathMakeRef error = -43
etc
My OS is 10.9.3, ARD is 3.7.2 (372A19)
I'm not trying to collect any report data as far as I know.
I have a few ARD windows open.
James. -
Retrive User & Cookie Information Using Apache Access Log Files
Hi All
The following information are not showing under Apache access log files that is used with Oracle Appserver (10g 10.1.2) given below.
1)User Informations
2)Cookie Informations
We are using below Commands in the httpd.conf File that have specified in the documents link given below
http://download-west.oracle.com/docs/cd/B31017_01/web.1013/q20201/logs.html#accesslog
LogFormat "%h %l %u %t \"%r\" %>s %b %v \"%{Referer}i\" \"%{User-Agent}i\" \"%{cookie}n\"" combined
Please anyone can tell what are the necessary informations that we have to specified in the httpd.conf file to retrive Cookie and user Informations.
Thanks to all
SonaThanks for your reply
Can u please check the below link for the cookie flag information
http://download-west.oracle.com/docs/cd/B31017_01/web.1013/q20201/mod/mod_usertrack.html
For your information i have logged in already.
Our Sample O/p is given below
151.146.191.186 - - [28/Dec/2006:10:13:05 +0530] "GET /Tab_files/lowerbox.gif HT
TP/1.1" 200 150 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows)"
We are using the below command format
LogFormat "%h %l %u %t \"%r\" %>s %b %{cookie}n \"%{Referer}i\" \"%{User-Agent}i\"" combined
But User and Cookie informations is not displaying.
what steps should i follow.
Looking for the favourable reply
Thanks -
Retrive Cookie Information in the Apache Access Log Files
Hi All,
Can anyone give me the solution or any link to follow the steps for retriving cookie information and user information in the Apache Access log files using httpd.conf file.
we are using Oracle Appserver 10.1.2 Version and we have specfied below commands in httpd.conf file.
LogFormat "%h %l %u %t \"%r\" %>s %b %v \"%{Referer}i\" \"%{User-Agent}i\" \"%{cookie}n\"" combined
But it failed to retrive cookie and user informations
Looking forward any one help.....
Thanks
Regards
SonaThanks for your reply
Can u please check the below link for the cookie flag information
http://download-west.oracle.com/docs/cd/B31017_01/web.1013/q20201/mod/mod_usertrack.html
For your information i have logged in already.
Our Sample O/p is given below
151.146.191.186 - - [28/Dec/2006:10:13:05 +0530] "GET /Tab_files/lowerbox.gif HT
TP/1.1" 200 150 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows)"
We are using the below command format
LogFormat "%h %l %u %t \"%r\" %>s %b %{cookie}n \"%{Referer}i\" \"%{User-Agent}i\"" combined
But User and Cookie informations is not displaying.
what steps should i follow.
Looking for the favourable reply
Thanks -
Strange entries in lighttpd access log -- help!
Hi,
I run a lighttpd server at home. I just use it for working with some scripts, and sharing stuff with my friends. I have a dynamic IP address, so I use dyndns for getting a hostname.
Today I noticed some strange entries in the lighttpd access log:
64.162.221.146 lti-mail01.ltinetworks.com:25 - [14/Feb/2010:11:38:23 +0530] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 8 "-" "-"
64.162.221.146 - - [14/Feb/2010:11:38:25 +0530] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 501 357 "-" "-"
64.162.221.146 lti-mail01.ltinetworks.com:25 - [14/Feb/2010:11:45:40 +0530] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 8 "-" "-"
64.162.221.146 - - [14/Feb/2010:11:45:43 +0530] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 501 357 "-" "-"
64.162.221.146 lti-mail01.ltinetworks.com:25 - [14/Feb/2010:11:52:58 +0530] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 8 "-" "-"
64.162.221.146 - - [14/Feb/2010:11:53:01 +0530] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 501 357 "-" "-"
64.162.221.146 lti-mail01.ltinetworks.com:25 - [14/Feb/2010:12:00:12 +0530] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 8 "-" "-"
64.162.221.146 - - [14/Feb/2010:12:00:15 +0530] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 501 357 "-" "-"
64.162.221.146 lti-mail01.ltinetworks.com:25 - [14/Feb/2010:12:07:28 +0530] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 8 "-" "-"
64.162.221.146 - - [14/Feb/2010:12:07:30 +0530] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 501 357 "-" "-"
What is going on here? Some kind of spambot? Note that I don't have the sendmail service installed, and port 25 is not forwarded on my router. Is this a threat and how do I deal with this?
Thanks.loafer wrote:I don't know a great deal about this. However, if you google for "lti-mail01.ltinetworks.com" you'll get a load of hits, which indicate there may be a problem.
Yes, I did some more searching and apparently its a known problem.
This thing is trying to send a POST action to another site. Is there any way I can restrict POST actions to my own domain? -
Username not showing up in access log for authenticated users
I'm using form-based authentication in a Java web application on Sun One Web Server v6.1 to restrict access to authenticated users. However, even after the users authenticate and access the application, the username field in the access log is showing them as anonymous.
request.getRemoteUser() is reporting the correct username, so it just seems to be the access log that is in error. Right now it is set to the default but changing formats to custom doesn't seem to help in displaying the username.
Here's an excerpt from the access log:
// anonymous access attempt, redirects to login page...
10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/index.jsp HTTP/1.1" 302 0
10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/login.jsp HTTP/1.1" 200 3355
10.100.168.110 - - [01/May/2006:14:34:47 -0400] "POST /profile/j_security_check HTTP/1.1" 302 0
// at this point they are logged in and their username should be reflected in the access log, but is not:
10.100.168.110 - - [01/May/2006:14:34:47 -0400] "GET /profile/index.jsp HTTP/1.1" 200 3532 And the relevant code from the web application's web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>AllFiles</web-resource-name>
<description>
Restricts anonymous access.
</description>
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>
Authenticated Users
</description>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>I've searched the forums and the manuals but can't see anything showing that the access log's username field doesn't work with form-based authentication. Can anyone shed some light on this?Some background:
The Java Servlet container has its own authentication infrastructure (which is what you configure in web.xml) which is separate from the non-Java authentication infrastructure (ACLs, etc.). If you set up authentication via ACLs the resulting user identity can (though you may configure it not to) propagate to the Java Servlet container such that request.getRemoteUser() will return it, even though no web.xml-driven authentication occurred. The coverse is not true, however: if you authenticate via a Java Realm, based on web.xml configuration, that user identity is not available to non-Java code.
(Your web.xml snippet doesn't show you using FORM auth - but it doesn't matter, the explanation above applies in any case.)
That is why the log file (generated from non-Java code) doesn't have access to that user. It probably should, but there's no config option today for you to make that happen.
If you're using BASIC auth you may consider moving the authentication configuration from web.xml to ACLs as a possible workaround. It will then show up in the access logs.
If you prefer web.xml-based authentication, consider the <SECURITY audit="true"> option in server.xml. It won't be in the access log but you'll have an audit trail of authentications, which may help. -
WSA access logging for HTTPS traffic
Hi,
We have a WSA s370 with AsyncOS version 7.5.1-079 and it is configured as a transparent proxy.
HTTPS proxy is enabled and all the URL categories set to pass through ( no decrytpting or monitoring ).
Seems like the WSA does not generate logs for HTTPS transactions.
I would like to know whether this is the expected behaviour.
Is there any way that I can monitor HTTPS transactions without decrypting ?
Thanks,
Wipula.In addition to what Ken mentioned, the only way you can monitor HTTPS traffic without decrypting it will be done so using the IP address.
In the access logs, you will see the following transaction when accessing an HTTPS site (google for example):
TCP_CONNECT 74.125.101.50
It will only report URLs once decrypted. At that point, it is just HTTP.
-Vance -
Is There a Way to Run a Redo log for a Single Tablespace?
I'm still fairly new to Oracle. I've been reading up on the architecture and I am getting the hang of it. Actually, I have 2 questions.
1) My first question is..."Is there a way to run the redo log file...but to specify something so that it only applies to a single tablespace and it's related files?"
So, in a situation where, for some reason, only a single dbf file has become corrupted, I only have to worry about replaying the log for those transactions that affect the tablespace associated with that file.
2) Also, I would like to know if there is a query I can run from iSQLPlus that would allow me to view the datafiles that are associated with a tablespace.
Thanks1) My first question is..."Is there a way to run the
redo log file...but to specify something so that it
only applies to a single tablespace and it's related
files?"
No You can't specify a redolog file to record the transaction entries for a particular tablespace.
In cas if a file gets corrupted.you need to apply all the archivelogs since the last backup plus the redologs to bring back the DB to consistent state.
>
2) Also, I would like to know if there is a query I
can run from iSQLPlus that would allow me to view the
datafiles that are associated with a tablespace.Select file_name,tablespace_name from dba_data_files will give you the
The above will give you the number of datafiles that a tablespace is made of.
In your case you have created the tablespace iwth one datafile.
Message was edited by:
Maran.E -
Unwanted Query string appears in Apache access log file
hi,
i tried with the follwoing code to send the request for a servlet.
uri = "/servlet/Participant";
res.sendRedirect(getScheme( req ) + req.getServerName() + (req.getServerPort() == 454 ? (":" + req.getServerPort()) : "") + uri);
Here i am not appending any QueryString. But the log entry in Apache2 HTTP Server dispalys the QueryString apeended. Below is the log entry.
Host name - - [12/Apr/2009:23:58:58 +0100] "GET /servlet/Participant/?login.userid=mullapati&login.password=venkat12345 HTTP/1.1" 500 1274
any thoughts how it is happening?
Thanks,
Venkateshwhen u do a HttpServletResponse.redirect(url), the server merely sends a HTTP 307 response (Temporary Redirect) back to the client together with the url (which is what you formed up).
It is up to the client to make a second request to the server at the redirected URL. Your client (whatever it is, browser, etc) could be appending the query string at the end of the URL. -
User access logging for my Oracle database 9.2.0.3 and Linux server
Hi Friends,
I would like to have a record of users who had accessed my oracle apps database(9.2.0.3).Please let me know the method.
Also i would like to record the users who had connected to my linux server (using putty) please suggest a method.
Regards,
Arunuser564706 wrote:
I would like to have a record of users who had accessed my oracle apps database(9.2.0.3).Please let me know the method.Perhaps sed (man sed) and records in listener.log, default at OH/network/log/, could help you to find a method.
Also i would like to record the users who had connected to my linux server (using putty) please suggest a method.Take a look in /var/log e.g. wtmp (if such file name exists, and use man command on the file names to learn their usage). Should at least help identify telnet/ssh sessions. -
I used webalizer before on my linux server. What is the best / simplest web log reader that will run on the Mac SServer (is there one bundled with XServe)?
If you're looking for something that will print pretty graphs showing hits over time, referer reports, geographical breakdown, etc., then there's nothing built-in to Mac OS X that will generate these. However, since you're familiar with Webalizer you can just download and install it on your Mac server and continue.
http://www.mrunix.net/webalizer/ -
Event 4740 Not Logged for a Single Account Lockout
Domain Functional Level: 2003
PDC Emulator: 2008 R2
Lockout Origin DC (also the RADIUS server): 2003 R2
For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts. Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the Event 4740. This usually tells me that our
Cisco WLAN Controller caused the lockout.
Our Default Domain Policy is set to audit Account Logon Events for failure, Account Management for success/failure, and Logon Events for success/failure (plus numerous other things).
This time there is no Event 4740 for this account lockout and I can't figure out why. The events are there for other lockouts several minutes before or after this one. Windows just hates me so it decided to skip this one. The main reason
this is a problem is because I just set up Scheduled Task on the PDC Emulator, triggered by Event 4740, to run a PowerShell script that will provide the help desk with a report for each account lockout, even parsing the IIS logs on the Client Access Server
to identify which ActiveSync device caused it. Of course the week after I announce that, Windows decides not to log one.
Using LockoutStatus.exe I determined that the Origin DC for the lockout was the RADIUS server.
NetLogon debug logging is enabled on the RADIUS server, however I took a nap today after being let out of work early for the holiday so by the time I checked the netlogon.bak file it had already been overwritten with newer data.
There was, however, an Event 644 locked on the RADIUS server (pasted below with domain/computer/user details edited for privacy). I don't even know where to start as far as trying to prevent this from happening again. Anyone have any suggestions?
Within the next couple months I will spin up a 2012 RADIUS server and a separate 2008 R2 DC to replace the 2003 multipurpose server, but it's not high on my boss's priority list so it's a tough sell considering the WLAN is functional right now.
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 12/31/2014
Time: 10:00:35 AM
User: NT AUTHORITY\SYSTEM
Computer: DomainControllerAndRadiusServer
Description:
User Account Locked Out:
Target Account Name:
LockedOutUser
Target Account ID:
DOMAIN\LockedOutUser
Caller Machine Name:
CISCO
Caller User Name:
DomainControllerAndRadiusServer$
Caller Domain:
DOMAIN
Caller Logon ID:
(0x0,0x3E7)
For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts. Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the
Event 4740. This usually tells me that our Cisco WLAN Controller caused the lockout.
For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts. Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the
Event 4740. This usually tells me that our Cisco WLAN Controller caused the lockout.
For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts. Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the
Event 4740. This usually tells me that our Cisco WLAN Controller caused the lockout.Hi,
I suggest you use Auditpol command to check the current auditing status on Domain Controller.
You can type this command below:
Auditpol /get /Category:Logon/Logoff
If the Account Lockout subcategory is set to no auditing, please use /set option to enable auditing:
Auditpol /set /Subcategory:”Account Lockout” /Success:enable /Failure:enable
More information for you:
Auditpol
http://technet.microsoft.com/en-us/library/cc731451.aspx
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Not getting entry in error logs for SP2
Hi All,
I am using SP2 on Solaris 5.9. I got the below entry in the access logs.
75.187.38.17 - - [05/Dec/2007:00:25:07 -0500] "POST /test/testmac.htmlPOST " 400 147
74.197.120.159 - - [05/Dec/2007:00:26:02 -0500] "" 400 147
76.118.146.74 - - [05/Dec/2007:00:29:27 -0500] "" 400 147
66.159.193.19 - - [05/Dec/2007:00:31:17 -0500] "" 400 147
As it is visible that request resulted 400 response code, but I don't see any entry in the error logs.
Do I need to enable something for this in magnus.conf ?
At present for errors I have the following settings in the magnus.conf as
ErrorLog /data/servers/dir/logs/errors.
Any help would be highly appreciated.
Thanks and regards
-A400 bad requests are not logged in error logs. That usually means the request sent is malformed.
According to RFC http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
"10.4.1 400 Bad Request
The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications. "
Try attaching ssltap in between web server and browser and see what request was sent to the server.
$/usr/sfw/bin/ssltap -h
SSLTAP (C) 1997, 1998 Netscape Communications Corporation.
Usage: ssltap [-vhfsxl] [-p port] hostname:port
-v [prints version string]
-h [outputs hex instead of ASCII]
-f [turn on Fancy HTML coloring]
-s [turn on SSL decoding]
-x [turn on extra SSL hex dumps]
-p port [specify rendezvous port (default 1924)]
-l [loop - continue to wait for more connections]
$ssltap -l -p 1924 wshostname:wsport
send browser's request to 1924.
"[05/Dec/2007:08:54:37] failure (16852): Connection queue full, closing socket"
This error message means that server is under heavy load and connection queue is full. Try tweaking
MaxKeepAliveConnections and ConnQueueSize parameters in magnus.conf.
For more info refer :
Sun ONE Web Server 6.1 Performance Tuning, Sizing, and Scaling Guide
http://docs.sun.com/source/817-1836-10/index.html
P/S WS 6.1 SP2 is quite old try switching to Web Server 6.1 sp8 or Web Server 7.0 update 1.
Edited by: mv on Dec 5, 2007 2:16 PM -
Weblogic Access Logs not getting generated / updated only for Admin server
Hi All,
I have a query ,
We recently noticed that the weblogic access logs for our admin server are not getting generated.
However we checked that the access logs are getting generated for the managed servers that we have.
There is not much difference between the logging settings between the admin and the managed servers.
We thought that there might be some problem with the buffering and that the data might not be written to the files immediately.
So after researching we found the parameter "-Dweblogic.logging.bufferSizeKB=0" and added that to the java options however it did not make any difference.
Also we tried modifying the config script as ,
<server>
<web-server>
<web-server-log>
<buffer-size-kb>0</buffer-size-kb>
</web-server-log>
</web-server>
</server>
However no luck .....
We are using weblogic 9.2 MP3 and think there might be some bug with this version , however its hard to believe that the logs are generated and updated for managed servers and not for the admin servers.
The only thing we notice in the access logs of the admin server is 404 errors.
Any suggestions ?
Regards,
Stacey.This has come up recently here:
access log not writing to disk in a timely fashion
I didn't find that buffer-size-kb capability in the docs in 9.2. I recommend checking with support.
Maybe you are looking for
-
After a trip to Brazil, the App Store apparently thinks my iPad 2 is still there. When I try to download an app, I get a message that I can't get that app from the Brazilian store and have to switch to the U.S. store. The general settings are correct
-
Acrobat pro 9.5.4 not printing
When I print to my Canon MX310 the print operation takes place, there's just no ink on the page. Email prints fine, so I know it's not the printer. Any ideas? I'm boggled. I've checked my print settings and things are seemingly in order. This happ
-
Tutorial: The Players demo – Flex, PostgreSQL, PHP/AMF working together
Digital Showcase LLC has developed this Tutorial and Demo on database entry and update taking advantage of the extended graphics that Flex/Flash offers, to produce a rich, compelling user interface for presenting Database usage, leveraging PHP and A
-
Hello i just upgrate to mountain lion 10.8.2 when i use airplay to apple tv only stream video but no audio any ideas?
-
Will upgrading to Acrobat XI Pro preserve my custom stamps from Acrobat X Pro?
I'm in the middle of installing Acrobat XI Pro and it wants me to uninstall my existing Acrobat X Pro. I'm concerned that I might lose my custom stamps in the process.