Hi
on a lab environment the logs are always and only "Log in" so no "log out" or "failed log in" logs:
![collector7.JPG collector7.JPG](https://community.checkpoint.com/t5/image/serverpage/image-id/24679iA20AA9299FDCB8D8/image-size/large?v=v2&px=999)
Wireshark between the AD and the machine where IDC is installed shows this when trying wrong password, log in and log out:
![a1.JPG a1.JPG](https://community.checkpoint.com/t5/image/serverpage/image-id/24680i8FCF5EA003C310BC/image-size/large?v=v2&px=999)
![a2.JPG a2.JPG](https://community.checkpoint.com/t5/image/serverpage/image-id/24681i49971203535D9A21/image-size/large?v=v2&px=999)
![a3.JPG a3.JPG](https://community.checkpoint.com/t5/image/serverpage/image-id/24682iDB263D2C82B7A816/image-size/large?v=v2&px=999)
In production environment the logs are "failed log in" or "log out" and no "log in" logs:
![a5.JPG a5.JPG](https://community.checkpoint.com/t5/image/serverpage/image-id/24683i8CEBF9F3C26D6B13/image-size/large?v=v2&px=999)
running wireshark between AD and the machine where IDC is installed shows no LDAP or kerberos packets between these machines, it shows only DCERPC packets!
the machine where IDC is installed is 10.32.0.166, same machine i run wireshark:
ip.addr == 10.8.0.12 and ldap shows nothing
ip.addr == 10.8.0.12 and kerberos shows nothing
only ip.addr == 10.8.0.12 and dcerpc shows this:
![a6.JPG a6.JPG](https://community.checkpoint.com/t5/image/serverpage/image-id/24684iC226218E5568DDC8/image-size/large?v=v2&px=999)
The question is why on lab environment I get only "log in" logs and why on production I get only "failed log in" or "log out" By the way the "failed log in" logs are not accurate because my environment is running with no problem.