What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

What is overload protection?

Votes:

1

Your Vote:

Up

Down

In the PRTG web interface, I can see the message

Overload protection is active! Click to learn more.

What does it mean?

failed-logins overload protection prtg9

Created on Sep 28, 2011 3:05:44 PM by  Dirk Paessler [Founder Paessler AG] (10,983) 3 5

Last change on Oct 12, 2021 5:03:59 AM by  Maike Guba [Paessler Support]



41 Replies

Accepted Answer

Votes:

2

Your Vote:

Up

Down

This article applies as of PRTG 21

The Overload Protection functionality in PRTG

The PRTG web server has a built-in mechanism to fight brute-force attacks to crack passwords. This mechanism considerably impacts the performance of the PRTG web interface of the user account that is responsible for the failed login attempts.

How does the overload protection work?

The overload protection works as follows:

  • If 50 login attempts fail, the PRTG web server delays all consecutive login attempts of the respective user account by 35 seconds.
  • When the overload protection activates, PRTG adds the message Logon attempts slowed down due to failed logon margin exceeded in a short amount of time to the log entries under Logs | System Events | Status Message Related in the PRTG web interface.
    After 100 failed login attempts, you can see the message 100 logons failed since last start of PRTG.
  • PRTG stops the overload protection again after a time span of 10 minutes without any failed login attempts.

Where do incorrect login attempts come from?

Incorrect login attempts do not necessarily have to be brute-force attacks. There can be other reasons:

  • There are one or more systems in the network that repeatedly connect to the PRTG core server with incorrect credentials. These are usually systems that connect to the PRTG core server through the PRTG API, for example, systems that run PRTG Desktop with incorrectly configured user accounts.
  • The PRTG apps for iOS or Android can also trigger the overload protection if they use incorrectly configured user names or passwords.
  • Further causes can be all processes that try to load data from the PRTG core server via API calls that include wrong credentials.

How can I find systems that trigger the overload protection?

If you do not know which systems or applications send incorrect login requests, look at the PRTG web server log files that you can find in the \Logs\webserver subfolder of the PRTG data directory. Log file entries can look like this:

2021-09-23 05:08:07 127.0.0.1 "user100-prtgadmin" localhost 80 GET /api/getstatus.htm id=0&username=prtgadmin&passhash=*** 200 "PRTG Desktop/21.8.0 (Windows)" 2021-09-23 05:08:54 192.0.2.0 "anonymous" my.domain.de 443 GET / - 200 "Mozilla/5.0 (compatible; PRTG Network Monitor (www.paessler.com); Windows)"

Here, you can find out the IP addresses of systems that connect to the PRTG web server, as well as user accounts and applications that might cause the overload protection:

  • The third column shows the source IP address of the incoming request.
  • The fourth column shows anonymous or the user ID in PRTG (for example, user 100) and the user name used to log in if the request is a login attempt (for example, prtgadmin).
  • The last column shows the browser agent string (for example, Mozilla/5.0 (compatible; PRTG Network Monitor (www.paessler.com); Windows) for the PRTG web interface and PRTG Desktop/21.8.0 (Windows) for PRTG Desktop).

To find failed login attempts, search the log file for the string login_failed:

2021-09-23 09:00:23 127.0.0.1 "anonymous-prtgadmin-login_failed" 127.0.0.1 443 POST /public/checklogin.htm loginurl=/home&username=prtgadmin&password=*** 200 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.54 Safari/537.36"

How can I keep an eye on the number of failed login attempts?

You can monitor the number of failed login attempts per day with the File Content sensor. Configure the sensor as follows:

  1. Log in to the PRTG web interface.
  2. Add a File Content sensor.
  3. Give the sensor a meaningful name, for example, PRTG web server login failed.
  4. Scroll down to section Sensor Specific and define the following settings:
    • Under File Name, enter the path to the WebServer.log file in the \Logs\webserver subfolder of the PRTG data directory.
    • As Search String, enter login_failed.
    • Select Always transmit the entire file for the File Transmission Handling.
    • As Sensor Behavior, select Shows the warning status when the string is found.
    • Leave all other settings as they are.

      Define the sensor settings
      Click to enlarge.
  5. Click Save.
  6. On the sensor’s Overview tab, click the pin icon of the Matches channel to make this channel your primary channel. The channel shows the total number of failed login attempts.
  7. Click the cog icon of the Matches channel to edit the channel settings:
    • Select Enable alerting based on limits.
    • For Upper Error Limit, enter 49. This way, the sensor shows the Down status as soon as there are 50 or more failed login attempts.
    • Optionally, set an Upper Warning Limit as well.
    • Optionally, enter an Error Limit Message, for example, More than 50 failed logins, and a Warning Limit Message.

      Set the sensor limits in the channel settings
      Click to enlarge.
  8. Click OK to save your settings.

The File Content sensors now shows the total number of failed logins per day in the Matches channel and the line in the WebServer.log file where PRTG logged the last failed login attempt in the Last occurrence (line) channel.

File Content sensor that shows failed login attempts
Click to enlarge.

Created on Sep 28, 2011 3:11:04 PM by  Dirk Paessler [Founder Paessler AG] (10,983) 3 5

Last change on Oct 12, 2021 5:24:58 AM by  Maike Guba [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello,

where is the "\Logs (Web Server)" folder? I searched the whole PRTG server filesystem and found nothing which has to do with it.

Created on Sep 30, 2011 3:07:29 PM by  Mike Holland (0) 1



Votes:

0

Your Vote:

Up

Down

Mike, please see How and where does PRTG store its data?, the "Logs (Webserver)"-folder resides inside the PRTG Datafolder. You might need to adjust your Windows Explorer View-Settings to see/access this hidden folder.

Created on Sep 30, 2011 4:27:00 PM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Is there any way to disable Overload Protection?

Created on Aug 15, 2012 3:57:09 PM by  Tony Kan (0)



Votes:

0

Your Vote:

Up

Down

Sorry, the Overload Protection cannot be disabled.

Created on Aug 15, 2012 3:59:28 PM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Does the "Overload Protection is Active" message only show when there is something wrong or should it be on all the time?

Created on Jan 15, 2013 7:46:58 PM by  Josiah Ritchie (120) 1 1



Votes:

0

Your Vote:

Up

Down

Overload Protection indicates that there is an issue. Default should be that the overload protection is off.

Created on Jan 16, 2013 6:09:08 AM by  Aurelio Lombardi [Paessler Support]

Last change on Jan 16, 2013 7:48:11 AM by  Aurelio Lombardi [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Is there a config file or anything in the web interface where one can tweak the overload protection? My organization would like to configure stricter rules for overload protection. Initiating after 50 failed login attempts may be a little to high for us.

Created on Feb 19, 2013 2:48:38 PM by  mbrennan (10) 2



Votes:

0

Your Vote:

Up

Down

No, there is no config file or similar. The values in the overload protection are hard coded. Sorry.

Created on Feb 19, 2013 2:50:08 PM by  Konstantin Wolff [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Thank you for the fast reply. Is this something that can be added to a wishlist?

Created on Feb 19, 2013 2:54:31 PM by  mbrennan (10) 2



Votes:

0

Your Vote:

Up

Down

I will put this on the wishlist for upcoming releases but cannot guarantee if or when this will be implemented.

Created on Feb 19, 2013 2:56:17 PM by  Konstantin Wolff [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I´ll add to that request, or a mechanism to do something about it. some APIs I downloaded can't work, and segmenting automated reports is not a great option either.

Created on Apr 18, 2013 8:07:05 PM by  Quala S.A. Quala S.A. (0) 1



Votes:

0

Your Vote:

Up

Down

Hello, new PRTG user here! LOVE IT!

But after changing the default login account and disabling the "prtgadmin" account I am now receiving this error.

I have this line in my logs,

2013-05-22 12:51:14 127.0.0.1 "anonymous-nhoague-login_failed_and_delayed_120_seconds" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_type=netflowheader&filter_type=n ...

Where does this anonymous come from? I have only found one place in the server administrator to change the login account, and then I also changed the login in the enterprise console.

Thanks!

Created on May 22, 2013 7:12:50 PM by  Nicholas Hoague (0) 1



Votes:

0

Your Vote:

Up

Down

This looks like a library access, which is trying to log in using the name 'nohague' but fails. This most likely has to do with the login name being used more than once for a user account. Please check on the same and adjust the name entries accordingly.

Created on May 24, 2013 12:52:44 PM by  Patrick Hutter [Paessler Support] (7,225) 3 3



Votes:

0

Your Vote:

Up

Down

Hi Paessler Team,

I noticed that every time I run a report with graphics in one particular scenario (see below), the Overload Protection warning is displayed (ajax interface). I followed the steps above regarding the logs and I found the login_failed from the pc I am accessing the prtg page.

The prtg server can be accessed via a private IP (192.168.X.X) within the enterprise LAN and from the outside via a Public IP address.

1. Accessing prtg from the local network does not display the Overload Warning message during the report run.

2. Accessing prtg from the outside (public IP) displays the Overload Warning message. The report completes but slowly.

Thank you.

Created on Apr 8, 2014 10:17:42 PM by  jf_hernandez (1) 1



Votes:

0

Your Vote:

Up

Down

The import bit, if this issue occurs when generating HTML reports is that the password in the URL is right or wrong. Due to a bug in the generation of the forwarding URL by the Nag Screen, the password was set erronously. This bug should have been fixed with version 14.1.9.x

Created on Apr 15, 2014 12:43:21 PM by  Patrick Hutter [Paessler Support] (7,225) 3 3



Votes:

0

Your Vote:

Up

Down

Hi Guys,

How do i change the PRTG username tied to a library thread as the person who created it has left and I want to disable their account. Due to this i am constantly having overload protection issues.

Created on May 19, 2014 7:05:23 AM by  lingario (0) 1



Votes:

0

Your Vote:

Up

Down

It's not possible to change the user who created a Library. I'm afraid in the moment, it will be necessary to remove and re-create the Library. Sorry.

Created on May 19, 2014 10:49:01 AM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

my log have a lot of error.Could you help please.

2014-07-04 10:57:18 127.0.0.1 "user100-prtgadmin" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&[email protected](esx)&[email protected](esxserverhosthealthsensor)&[email protected](esxserverhostsensor)&[email protected](esxserversensor)&[email protected](esxservervmsensor)&[email protected](esxshealthsensor)&[email protected](esxvmsensor)&login=prtgadmin&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)"


2014-07-04 10:57:24 127.0.0.1 "user100-prtgadmin" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_priority=5&login=prtgadmin&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)"


2014-07-04 10:57:29 127.0.0.1 "user100-prtgadmin" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_priority=4&login=prtgadmin&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)"

Created on Jul 4, 2014 3:09:51 AM by  ckc0206 (0)

Last change on Jul 4, 2014 12:34:01 PM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

These requests are from Libraries. Libraries are saved under the User Account who created the Library. The library then "logs in" with the same user account to refresh filters. So if a user is removed, who created a Library, the Library then causes these fails. It would be necessary to remove the Libraries as well.

Created on Jul 4, 2014 12:34:15 PM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

im having this problem and looking at the log i see this:

2014-07-30 13:55:08 127.0.0.1 "anonymous-cerivera-login_failed_and_delayed_120_seconds" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_type=jflowheader&filter_type=jflowcustom&login=cerivera&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)"

Created on Jul 30, 2014 6:06:54 PM by  erecpr (0)

Last change on Aug 1, 2014 11:46:38 AM by  Greg Campion [Paessler Support]



Votes:

0

Your Vote:

Up

Down

As Torsten said above, this is a call that is used by PRTG for a library. Please try and delete this library and the error should go away. It looks like this is used for a jFlow library so check to see if there are any of those in your PRTG installation.

Created on Aug 1, 2014 11:46:20 AM by  Greg Campion [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Is possible that this error occurs with a wrong username or password for a SENSOR?

Created on Jan 6, 2015 1:38:40 PM by  rapolinario (0)



Votes:

0

Your Vote:

Up

Down

Being locked out of PRTG because of overload protection should only happen when accessing PRTG itself. If a sensor has the wrong credentials and is using those to scan a device, the device itself could also have similar protection but you would have to check on the device if this is the case.

Created on Jan 7, 2015 8:30:09 AM by  Greg Campion [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I just had the same issue. After checking the Logs i have seen, that is was my IOS-App trying to loging again . i changed my windows Passwort and so the stored credential was no longer valid. And the IOS App did not (14.4.9) did not ask for th new Passwort. It did a retry again and again.

So, check your app. In dem Zuge. Es wäre ein netter Zug, wenn man die App ähnlich die diverse HomeBanking Apps zusätzlich mit einer PIN oder dem Kennwort gegen Starten sichern könnte. Gerade Tablets sind auch mal "Familiengeräte" und Apple hat ja keine Multiuserfähigkeit. Da wäre es schon hilfreich, wenn Tochter oder Sohn nicht das "schicke" Icon einfach so starten könnten und dann die Server in Papas Firma verändert

Frank

Created on Feb 1, 2015 8:47:31 PM by  Frank Carius (341) 1 1



Votes:

0

Your Vote:

Up

Down

Hi, I am seeing the following. Any ideas what's causing it?

login=admin&passhash=* 200 "Mozilla/3.0 (compatible; Indy Library)" 2015-05-11 15:20:50 10.9.62.9 "anonymous-prtgadmin-login_failed_and_delayed_120_seconds" 10.9.62.9 8080 POST /api/getstatus.htm login=prtgadmin&password=*&id=0 200 "Mozilla/5.0 (compatible; PRTG Network Monitor Enterprise Console; Windows)"

Created on May 11, 2015 2:30:05 PM by  danovery (0) 1



Votes:

0

Your Vote:

Up

Down

This might be an Enterprise Console configured with wrong credentials from a host with the IP 10.9.62.9. Can you check that out? :)

Created on May 12, 2015 8:20:54 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

We have similar situation where local prtgadmin is creating login requests from the server itself. The only Libraries are those that shipped with the installation. Is the advice here https://kb.paessler.com/en/topic/25523-what-is-overload-protection#reply-194984 really saying we have to delete the default prtgadmin account or delete the libraries that shipped with the installation (and have to re-create them somehow from memory or after spending time documenting them) This does not seem right. Our installation has only been running since yesterday.

Created on Jun 15, 2015 7:43:43 AM by  bede (0)



Votes:

0

Your Vote:

Up

Down

Is there a enterprise console running on the PRTG Server? It could also be a crashed EC. Can you make sure that there's no process called PRTG Enterprise Console running?

Created on Jun 15, 2015 8:05:36 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

OK - thanks - found enterprise console was running on server from initial testing - now shutdown on server - how long before the overload warnings might be expected to go - so if not we can investigate further? thanks

Created on Jun 15, 2015 10:47:19 AM by  bede (0)



Votes:

0

Your Vote:

Up

Down

10 minutes without failed logins and the warning will disappear.

Created on Jun 15, 2015 11:37:21 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I have this warning jumping all the time . how can i stop this ?

Created on Jul 5, 2015 1:20:10 PM by  sapir (0) 1



Votes:

0

Your Vote:

Up

Down

It's probably a Enterprise Console installed on either the PRTG server or anywhere in your network that still has the old credentials configured. In order to check this, please send your PRTG Core Server.log files (resides under C:\ProgramData\Paessler\PRTG Network Monitor\Logs (System)) to [email protected] - please reference this thread so we know it's you :)

Created on Jul 6, 2015 5:53:34 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi-

we had this today , the failed logins have been identified and stopped, .

Overload protection is not alerting as "on" but we are still locked out.

We can access PRTG withe admin account - our AD accounts are locked out -

Does Overload protection display all the time it's on ?

Created on Sep 21, 2016 3:24:46 PM by  jcarpenter (0)



Votes:

0

Your Vote:

Up

Down

Hello,
thank you for your inquiry.

The overload protection is is automatically disabled after 10 minutes without any failed login attempts. Please check on your Active Directory whenever the actual user accounts are locked out or log-in to PRTG with the built-in admin account and issue a Clear Caches from within Setup > Administrative Tools.


Best Regards,
Luciano Lingnau [Paessler Support]

Created on Sep 22, 2016 4:16:17 PM by  Luciano Lingnau [Paessler]



Votes:

0

Your Vote:

Up

Down

Hi If we know the account that is being Brute Forced (due to change of Active Directory password) is it possible to sleep that account so that the Overload Protection is not activated for that account?

e.g. i've disabled the account hoping that the Overload Protection would stop... but it didnt..

Created on Dec 13, 2016 12:33:32 PM by  trunq (11) 1



Votes:

0

Your Vote:

Up

Down

Hi trung,

I'm afraid this does not change anything. A failed login attempt is a failed login attempt in the end, no matter whether the user exists in PRTG's userbase or not. The only way around is stopping these failed logins by either updating credentials on the machine that causes those failing logins or disabling Enterprise Console for example on this machine in case Enterprise Console is responsible for these logins, which is also shown in the webserver log as also described above.

Kind regards,

Erhard

Created on Dec 14, 2016 8:07:19 AM by  Erhard Mikulik [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I would like to use a corresponding sensor in PRTG for Overload Protection (on a probe). Or is it already built in?

Created on Oct 25, 2018 8:22:27 PM by  ITSE (10)



Votes:

0

Your Vote:

Up

Down

ITSE,

Overload Protection is a system function that prevents the PRTG server from becoming unstable and un-responsive. I'm not sure what you mean by, "I would like to use a corresponding sensor in PRTG for Overload Protection."

Can you elaborate?

Benjamin Day
Paessler Support

Created on Oct 25, 2018 11:16:58 PM by  Benjamin Day [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi

How can i identify which sensor the following login failure is originating from?

127.0.0.1 "anonymous-prtgadmin-login_failed_and_delayed_120_seconds" 127.0.0.1 80 GET /api/table.xml username=prtgadmin&passhash=*&content=sensors&columns=objid,parentid,name,probe,group,device,status,priority,type,type_raw,message,tags&id=14003 200 "-"

Regards

Created on Mar 28, 2019 11:26:17 AM by  jennis71 (0)



Votes:

0

Your Vote:

Up

Down

Jennis,

The logon is anonymous, and it originated from the PRTG Core Server. But, the only Sensors that can do anything like this would be HTTP REST API sensors. As those are the only ones who can make an API call.

Also, you might check you Notification Templates, as you can make an API call from there as well.

Benjamin Day
Paessler Support

Created on Mar 28, 2019 8:11:10 PM by  Benjamin Day [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.