We have this monitoring program called EIQ and it logs events like these. But I'm having a hard time understanding this. Does this say our Administrator account is the problem here? All of us fail sometimes at the first attempt to log into a system as the admin but I'm not sure why all of a sudden it is logging an event like this. I would think a failed admin account would show up more often in reports.
Raw Event: 10Hostwindows08/13/2015 10:14:14uid=domaincontroller ip=10.2.2.5 hostname=domaincontroller ec=529 et=Failure Audit facility=security source=Security sev=failure npri=1 msg="Logon Failure: Reason: Unknown user name or bad password User Name: administrator Domain: WORKSTATIONID Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: WORSTATIONID Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.2.2.199 Source Port: 0 Caller Process Name: (null)" sip=10.2.2.199 sport=0 dip=10.2.2.5 user=administrator logondomain=WORKSTATIONID logonwrkst=WORKSTATIONID process=(null) domain=workstationid auth-method=NtLmSsp shortdesc=Logon Failure. Reason: Unknown user name or bad password. authtype=NTLM logontype=Network ecat=Authentication ecatsubcat=Logon ecatresult=Failure alertrule=Rule 1 node-group=managed