Closed zibs1 closed 1 year ago
Hi @zibs1
That's a strange one.
I've just checked my machines and I get the FQDN.
Unfortunately, it's not something we specify when we create an event log entry. Windows must fill this in itself, so you might need to seek advice from Microsoft as to why this is happening.
@ryannewington thanks for coming back to me. What OS version are you running on? I can confirm this is only happening on OS 2016 onwards. Where is Lithnet app taking Computer name value from because if that would be OS or configuration specific why built in and any remaining events taking fqdn?
@zibs1 I'm using Server 2019 and 2022
We use this API from Windows https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-reporteventa
We don't provide a computer name at all.
@ryannewington can you post here screenshot of Lithnet Event ID
4, how it actually looks?
Also can you tell what is the command output of the hostname
from the machine? Is it just host or fqdn?
@ryannewington Would that anything to do how the messages are being described in C:\Program Files\Lithnet\Active Directory Password Protection\messages.dll
?
I just scanned through various events in both system and application logs and can confirm 99.99% events, are coming with Computer
names as FQDN
, except of LPP, so I'm inclined to say this is definitely a problem with LPP rather than a Windows server itself.
Are there any specific configuration or difference if event is generated because of using Get-PasswordFilterResult
PS command?
hostname
shows the short name of the machine.
messages.dll is compiled from messages.mc, but again, no references to computer name is in there.
Sorry @zibs1 there is not much I can advise on here. It's either something in Windows or something in the C++ runtime, but its not something I have control of with LPP.
This might be a small thing but we are seeing this as some inconvenience in SIEM log searching with regards to Computer name for DCs. We would like to have
Computer
name to beFQDN
rather to behostname
. Is there something we can configure this in LPP agent? At the moment we have something like:but we would like to match
Computer
as with other example Windows logs: