12-06-2016 01:52 AM - edited 12-06-2016 05:19 AM
Hi Guys,
ACC issue. Don't know what could be the reason for the URL block report to show some activities when nobody was using a network on Sunday. NTP? And also question to why all users got 2 digits in the end of their username, Is it normal?
Thx,
Myky
12-06-2016 05:39 AM
Network trafic being reported even when nobody is physically on site wouldn't be that weird since users could have applications on there computers that are still actively trying to communicate. The traffic going to snapchat makes things a little more suspicious because I don't think that actually has a website and makes you go through the phone which would indicate that if it's proper traffic they would have had to be within WiFi range.
The source user not being anything that you recognize is a little more alarming to me; it should only be identifying users that are actually in your system, if theses users with those numbers are not even in your system you have to wonder how they got there.
12-06-2016 05:39 AM
Network trafic being reported even when nobody is physically on site wouldn't be that weird since users could have applications on there computers that are still actively trying to communicate. The traffic going to snapchat makes things a little more suspicious because I don't think that actually has a website and makes you go through the phone which would indicate that if it's proper traffic they would have had to be within WiFi range.
The source user not being anything that you recognize is a little more alarming to me; it should only be identifying users that are actually in your system, if theses users with those numbers are not even in your system you have to wonder how they got there.
12-06-2016 05:48 AM - edited 12-06-2016 05:50 AM
Hiya,
Agreed with you regarding communication is still active (even on weekend). The thing is that username is correct (recognised withing the system), but only with 2 digits extension. Don't know maybe syslog read error or something?
Cheers,
Myky
12-06-2016 07:27 AM
What happens if you do a show log userid user equal 'userid' and look at the logs. Where does it show that the user was actually coming from. It could be a simple syslog error but I wouldn't expect that to add/remove anything from a user name like that.
12-08-2016 07:08 AM
Further investigation showed that the users were on site on Sunday. Regarding the activities on between 2 - 4 AM suggests that they didn't log off from their machine. Thanks as always. Activities were observed from both wired and wireless networks.
12-08-2016 07:24 AM
@TranceforLife did you ever find out why the numbers were added to your user ids, or is that something that was expected in your enviroment?
12-08-2016 07:27 AM - edited 12-08-2016 07:30 AM
No could not find out why. We might need to check that again but at this point it acceptable as all users id are correct just 2 digits added for some reasons.
@BPry What l've noticed is that your giving quite bright replies/suggestions 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
