In my log in the main menu under Logs | System Events | Status Messages, I can see these three messages:
9/26/2011 9:20:59 AM Starting Core Server: PRTG Network Monitor 9.1.0.1548 PRTG Network Monitor 500 9/26/2011 9:22:01 AM Logon attempts slowed down due to failed logon margin exceeded in a short amount of time 9/26/2011 10:21:24 AM 100 logons failed since last start of PRTG
At the same time I notice that logging in to the PRTG web interface takes a few seconds. I have also received a ticket about this issue.
What is going on?
Article Comments
Is there any place that would show where the failed logons are coming from? I have had a look through the logs on the PRTG web interface and I do not see where the failed logons are coming from???
Oct, 2011 - Permalink
Patrick, please see the "How can I find these rogue systems?"-part in the article linked by Dirk: What is Overload Protection?
Note: Please install the latest PRTG version so the login attempts are actually written into the log.
Oct, 2011 - Permalink
where i can see the log file ? i only can see : "ew ToDo ticket: Web server is slowing down login attempts (Protective measure) 100 logons failed since last start of PRTG. Please take a look at the following knowledge base article: https://helpdesk.paessler.com/en/support/solutions/articles/25403" but can't find the detail of where is the source ip...
Mar, 2016 - Permalink
Hi Vincent,
Log onto your PRTG host and open the PRTG Administrator Tool and open the Log Folder via the Logs & Info tab.
The webserver log files will be written into the \Logs\webserver folder. If you then open one file, you will find the source IP address of the failed logins (it's the first IP listed after the time stamp).
Best regards, Felix
Mar, 2016 - Permalink
Hi,
When I check the logs all the failed logins are from local.
127.0.0.1 "anonymous-prtgadmin-login_failed"
What can I do about this?
Sep, 2016 - Permalink
Hi philco,
Check the system tray on your PRTG server. This looks very much like there's PRTG's Enterprise Console running in the background and using outdated credentials to access PRTG. Update the credentials configured there or close Enterprise Console, then the failed login attempts will stop.
Kind regards.
Sep, 2016 - Permalink
May I suggest implementing ReCaptcha? Provides better protection than a delay.
Sep, 2018 - Permalink
Hello mwiseley,
Sure, please see here if you like to propose this as a feature request, other users can vote on it as well then.
Kind regards,
Erhard
Sep, 2018 - Permalink
C:\ProgramData\Paessler\PRTG Network Monitor\Logs (Web Server)
I have an Overload Protection mode activated and want to understand what's goind wrong, this directory has only outdated Logs, no files with fresh dates. Where i can find the logs with failed login attempts?
Nov, 2018 - Permalink
Hello Vasily,
If you've updated PRTG recently, the log paths have changed a bit, you find them now here:
C:\ProgramData\Paessler\PRTG Network Monitor\Logs\webserver
Today's webserver log is named "WebServer.log", older ones carry the date in the filename.
Kind regards,
Erhard
Nov, 2018 - Permalink
At the moment it is not possible for the customers to download the server logs in the PRTG hosted. You can only submit the support bundle to Paessler support and we can do it for you.
Jul, 2023 - Permalink
This article applies as of PRTG 22
Failed logins and overload protection
Too many failed logins have triggered the overload protection feature of PRTG.
In the log sample in the question, it took two minutes after the start of the PRTG core server to initiate the overload protection mode. Then it took about one hour to gather 100 more incorrect logins.
More
Sep, 2011 - Permalink