What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Logs (Web Server) entries

Votes:

0

I had a "100 logons failed since last start of PRTG" alert, I did research and found web server logs. Im not sure how to read these entries...Im assuming that 3rd column is the IP that originates the alert. Then we have anonymous and user100 and IP - .252.47 which is PRTG server. what is the stuff after GET ? How can I fix this? Is this something I should be worry about ? Thanks for help

2017-01-11 10:22:29 192.168.252.3 "anonymous" 192.168.252.47 443 GET /favicon.ico - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:29 192.168.252.3 "user100" 192.168.252.47 443 GET /css/images/Monitoring_454545.png - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:49 192.168.252.3 "user100" 192.168.252.47 443 GET /api/public/testlogin.htm _=1484148109192 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:49 192.168.252.3 "user100" 192.168.252.47 443 GET /api/status.json asjson=true&id=-1&_=1484148109193 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:49 192.168.252.3 "anonymous" 192.168.252.47 443 GET /favicon.ico - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:49 192.168.252.3 "user100" 192.168.252.47 443 GET /home - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:49 192.168.252.3 "user100" 192.168.252.47 443 GET /welcome.htm - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:50 192.168.252.3 "user100" 192.168.252.47 443 GET /api/sensortypesinuse.json simpleobject=true 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:50 192.168.252.3 "user100" 192.168.252.47 443 GET /api/status.json asjson=true&id=-1&_=1484148169912 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:22:50 192.168.252.3 "anonymous" 192.168.252.47 443 GET /favicon.ico - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:23:10 192.168.252.3 "user100" 192.168.252.47 443 GET /api/status.json asjson=true&id=-1&_=1484148169914 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:23:10 192.168.252.3 "user100" 192.168.252.47 443 GET /api/public/testlogin.htm _=1484148169913 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:23:10 192.168.252.3 "user100" 192.168.252.47 443 GET /controls/welcome_currentalarms.htm _=1484148169915 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 10:23:10 192.168.252.3 "anonymous" 192.168.252.47 443 GET /favicon.ico - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"

anonymous logs web-server

Created on Jan 11, 2017 3:33:44 PM



5 Replies

Votes:

0

Hi there,

To find out who tried to login and failed, search for "login_failed" and you will get all entries related to a failed login. You can then read them as:

LogEntry Number | Date | Time | Origin IP | User | Contacted Server | Port | Method | Requested Ressource | Status Code | User Agent

You could also monitor the failed logins this by using this following guide.

Created on Jan 11, 2017 8:23:58 PM by Dariusz Gorka [Paessler Support]



Votes:

0

i already did the search before I post the question and found couple of failed logins.

My question is, what is the rest of the records in the logs?? user100 ? etc

2017-01-11 09:39:38 192.168.252.3 "user100" 192.168.252.47 443 GET /api/public/testlogin.htm _=1484145373446 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 09:39:38 192.168.252.3 "user100" 192.168.252.47 443 GET /controls/table.htm tableid=messagetable&content=messages&columns=datetime,parent,type,name,status,message&sortby=date&refreshable=true&"tabletitle=Log Entries"&datepicker=true&filter_drel=7days&sortable=false&_=1484145373447 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 09:39:38 192.168.252.3 "anonymous" 192.168.252.47 443 GET /favicon.ico - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 2017-01-11 09:39:42 192.168.252.3 "anonymous" 192.168.252.47 443 GET /favicon.ico - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"

Created on Jan 11, 2017 8:41:10 PM



Votes:

0

Hi there,

Those are just normal access logs to the webserver. (Like access logs of an IIS or Apache server)

Created on Jan 11, 2017 9:01:24 PM by Dariusz Gorka [Paessler Support]



Votes:

0

Which Sensor are you using for this? I want to get the information about browser used, pages accessed, etc.

Created on Nov 21, 2017 6:45:01 AM



Votes:

0

Hi felipeleite,

This is not a particular sensor, those are details logged in PRTG's webserver logs. You find them in PRTG's data path, usually that would be C:\ProgramData\Paessler\PRTG Network Monitor\Logs (System) (if not configured otherwise). In subfolder Logs (Web Server) you find a log then for each day.

Kind regards,

Erhard

Created on Nov 21, 2017 4:20:55 PM by Erhard Mikulik [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.