An account failed to log on (security monitoring)

We have this monitoring program called EIQ and it logs events like these. But I'm having a hard time understanding this. Does this say our Administrator account is the problem here? All of us fail sometimes at the first attempt to log into a system as the admin but I'm not sure why all of a sudden it is logging an event like this. I would think a failed admin account would show up more often in reports.

Raw Event: 10Hostwindows08/13/2015 10:14:14uid=domaincontroller ip=10.2.2.5 hostname=domaincontroller ec=529 et=Failure Audit facility=security source=Security sev=failure npri=1 msg="Logon Failure: Reason: Unknown user name or bad password User Name: administrator Domain: WORKSTATIONID Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: WORSTATIONID Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.2.2.199 Source Port: 0 Caller Process Name: (null)" sip=10.2.2.199 sport=0 dip=10.2.2.5 user=administrator logondomain=WORKSTATIONID logonwrkst=WORKSTATIONID process=(null) domain=workstationid auth-method=NtLmSsp shortdesc=Logon Failure. Reason: Unknown user name or bad password. authtype=NTLM logontype=Network ecat=Authentication ecatsubcat=Logon ecatresult=Failure alertrule=Rule 1 node-group=managed
LVL 2
stlhostAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Paul MacDonaldDirector, Information SystemsCommented:
Someone is trying to login in as "administrator" from the machine at 10.2.2.199, but isn't giving the correct password.  If 10.2.2.199 is an internal host, it may be compromised, a user there may be up to funny stuff, or an administrator may have sat there and mis-typed the password to access the server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Aland CoonsSystems EngineerCommented:
Check for services running with administrator credentials.  

When the administrator password changes the services will fail to start until the password is updated again.   Using an administrator account for running a service is insecure as you want to provide the least permissions required.   Try setting up a service account with the necessary permissions.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.