Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ED
Advisor
Jump to solution

Application log shows different usernames

Hi,

This is a screenshot from an Application log which shows me two different usernames.

Marked with orange and number 1 have the same username. Marked with blue is a different username. Why is destination user name different from the User field?

0 Kudos
1 Solution

Accepted Solutions
Norbert_Bohusch
Advisor

Because user b logged in to the database server (on the windows system) and the IP of the server was associated with this user.

A session from user a only shows this information as this information was not deleted (has not timed out).

View solution in original post

(1)
8 Replies
Norbert_Bohusch
Advisor

Destination Username is the one associated to destination IP.

0 Kudos
ED
Advisor

Associated in which way? Can you explain more please. 

0 Kudos
Norbert_Bohusch
Advisor

By identity awareness depending on your configuration. I assume ADquery or IDC.

0 Kudos
ED
Advisor

I understand that. But if user a access a MS-SQL database, why is a different user b shown on destination username?

0 Kudos
Norbert_Bohusch
Advisor

Because user b logged in to the database server (on the windows system) and the IP of the server was associated with this user.

A session from user a only shows this information as this information was not deleted (has not timed out).

(1)
ED
Advisor

Thanks for explaining. Since this was a correlated log showing user a accessing a database I don't see the point in this log of having the information about user b that is associated with that server. Do you?

0 Kudos
Norbert_Bohusch
Advisor

I wouldn't need this information, but better have an information I don't need, than omitting it 🙂

Btw. if you don't need identity awareness on your servers (as source), you could exclude the server networks generally from IDC or ADquery.

0 Kudos
Sean_OConnor
Explorer

While I usually see omitting data as a bad thing, in this case I was misled by the wording "Destination User Name". In my experience, some logs look like user a is a compromised account that's trying to access the system at the IP that user b is associated to. I'll be updating my team and any others that ask about that feature. Maybe a name change on those fields can be considered? Also "Dst User Dn"

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events