I had a "100 logons failed since last start of PRTG" alert, I did research and found web server logs. Im not sure how to read these entries...Im assuming that 3rd column is the IP that originates the alert. Then we have anonymous and user100 and IP - .252.47 which is PRTG server. what is the stuff after GET ? How can I fix this? Is this something I should be worry about ? Thanks for help
2017-01-11 10:22:29 192.168.252.3 "anonymous" 192.168.252.47 443 GET /favicon.ico - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:29 192.168.252.3 "user100" 192.168.252.47 443 GET /css/images/Monitoring_454545.png - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:49 192.168.252.3 "user100" 192.168.252.47 443 GET /api/public/testlogin.htm _=1484148109192 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:49 192.168.252.3 "user100" 192.168.252.47 443 GET /api/status.json asjson=true&id=-1&_=1484148109193 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:49 192.168.252.3 "anonymous" 192.168.252.47 443 GET /favicon.ico - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:49 192.168.252.3 "user100" 192.168.252.47 443 GET /home - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:49 192.168.252.3 "user100" 192.168.252.47 443 GET /welcome.htm - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:50 192.168.252.3 "user100" 192.168.252.47 443 GET /api/sensortypesinuse.json simpleobject=true 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:50 192.168.252.3 "user100" 192.168.252.47 443 GET /api/status.json asjson=true&id=-1&_=1484148169912 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:50 192.168.252.3 "anonymous" 192.168.252.47 443 GET /favicon.ico - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:23:10 192.168.252.3 "user100" 192.168.252.47 443 GET /api/status.json asjson=true&id=-1&_=1484148169914 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:23:10 192.168.252.3 "user100" 192.168.252.47 443 GET /api/public/testlogin.htm _=1484148169913 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:23:10 192.168.252.3 "user100" 192.168.252.47 443 GET /controls/welcome_currentalarms.htm _=1484148169915 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:23:10 192.168.252.3 "anonymous" 192.168.252.47 443 GET /favicon.ico - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
Article Comments
i already did the search before I post the question and found couple of failed logins.
My question is, what is the rest of the records in the logs?? user100 ? etc
2017-01-11 09:39:38 192.168.252.3 "user100" 192.168.252.47 443 GET /api/public/testlogin.htm _=1484145373446 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 09:39:38 192.168.252.3 "user100" 192.168.252.47 443 GET /controls/table.htm tableid=messagetable&content=messages&columns=datetime,parent,type,name,status,message&sortby=date&refreshable=true&"tabletitle=Log Entries"&datepicker=true&filter_drel=7days&sortable=false&_=1484145373447 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 09:39:38 192.168.252.3 "anonymous" 192.168.252.47 443 GET /favicon.ico - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 09:39:42 192.168.252.3 "anonymous" 192.168.252.47 443 GET /favicon.ico - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
Jan, 2017 - Permalink
Hi there,
Those are just normal access logs to the webserver. (Like access logs of an IIS or Apache server)
Jan, 2017 - Permalink
Which Sensor are you using for this? I want to get the information about browser used, pages accessed, etc.
Nov, 2017 - Permalink
Hi felipeleite,
This is not a particular sensor, those are details logged in PRTG's webserver logs. You find them in PRTG's data path, usually that would be C:\ProgramData\Paessler\PRTG Network Monitor\Logs (System) (if not configured otherwise). In subfolder Logs (Web Server) you find a log then for each day.
Kind regards,
Erhard
Nov, 2017 - Permalink
Hi there,
To find out who tried to login and failed, search for "login_failed" and you will get all entries related to a failed login. You can then read them as:
You could also monitor the failed logins this by using this following guide.
Jan, 2017 - Permalink