Anonymous_User Absent Member.
Absent Member.
382 views

Re: Windows Negotiate will change SourceIP to 0.0.0.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I do not know specifically which event would do this, but here are some
steps to narrow down why it is happening:

First, anytime you have an odd collector parsing issue get a connector dump.
1. In ESM go to the relevant connector node.
2. Go to the node's settings (right-click, then 'Edit' or something)
3. Enter a path for a dump file and check the box to enable it.
4. Duplicate the event(s) in question.
5. Go back to the connector node and disable the connector dump (checkbox).
6. Look at the resulting file to see your events.

At this point you can see if, besides the event viewer, the windows
machine actually sent (or had pulled usually) the event in the same way
as you expected. If not then you need to fix the event source (windows
in your case) and if so then we can start debugging the collector. You
can do this either by opening a Service Request (SR) with Novell/NetIQ
and sending the connector dump describing exactly what you are seeing
(screenshots, event exports, good descriptions, etc.), or you debug on
your own.

Debugging on your own:
1. Create a new collector node for your type of collector.
2. Create a File Connector underneath your new collector.
3. Create a file event source under the connector which points to your
connector dump file. Offset: Always start from beginning. 'Replay' or
'Connector Dump' mode (or something like that) should be chosen for the
file format.
4. Start the collector in debug mode and step through until you see
what is happening.
*Note* - There is a lot to step 4. I'd recommend opening a ticket with
Novell/NetIQ unless you are a fairly comfortable programmer.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQBBjpAAoJEF+XTK08PnB5p0wP/A8UCrE3ZAFyalMPlI1OsxgN
ZU84XGTsh5SxPmviaMuxQcVUkRECbVS8kOI52uKGeqfX4Cl2SqBNBViIBvldUnxf
ofL3tjtp4MMC+XDH6j6SiUnKAZwlz7ZB7TVP66xCUvyHHNdU9/U72jpn5KRb23XT
jfQOZurvGFs07QtVeOaFTf9tFCcUBg22Z5IHOdRVs4zhLJ3uqAWqNOuDl8H3yccw
8aIZ1Rph/9Bachr5E4numRQ0W6oDr8NSJwxFU5bcbzHfU5fGzauEnO77sDohRYK5
31hHPQd5Ib+cTj+zTZlvTiSkFcMWrfIHxkjsKOc60EqCCQ+2jeLY7mYj3ZRxA8+n
zh8iXYNU6zGkv5/RvWEwD36Tu/5NhAGV85kcSvRpLrbYr+p3s4yOs5NjOCtKu01t
TNsoGi5Vhq96JazbTgZj7iqxmFqUCbYH0hLvsQRYNIDzZfTLzmfAMBVKgF2VMksQ
DPdbHxl1hoCOsfeYI5vLQ/ug/EGTMsB121cKzq9/6GPG3EponCQcw3Gus8vIiDPL
pmbcxqhpcERKKm0iueK5unQ1wDhstyZ3HFJSrp8KQHW80uWt7gZ1Je2rfpg0cgVy
JBiDfzh0WTykAh9W46GAWHtygEivga6XiEpiWbSxiNuz/LpbycKN+5VeCMwWp6fP
aGDKbzDrdHuul4jgMMk1
=7OG8
-----END PGP SIGNATURE-----
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.