Audit events are not properly matching the source IP address information due to APIPA addresses on clustered Windows Servers (with ot without clustered SQL Servers) (4380178)

Chatta subito con l'assistenza

Ottieni assistenza in tempo reale
Completa la registrazione

Accedi

Richiedi prezzo

Contatta il supporto vendite

Restituisci

Feedback inviato

Questo articolo ti è servito per risolvere il problema?

Seleziona valutazione

Titolo

Audit events are not properly matching the source IP address information due to APIPA addresses on clustered Windows Servers (with ot without clustered SQL Servers)
Descrizione

Audit events coming from Windows clusters (with ot without SQL Server clustered environment) are using APIPA addresses as the source IP address rather than the actual routable IP address as the origin information. Although the actual source IP address is still stored in another layout column that also has IP address data. This is more frequent with SQL audit events coming from clustered node servers.

APIPA addresses are automatically assigned to network adapters (cannot be obtained by DHCP or manually), non-routable IPs. Devices using APIPA (usually Windows clusters) can only communicate with other devices on the same local network segment (subnet) and cannot be routed to other networks, including the internet.
Causa

XEvents from the SQL server are used to generate Change Auditor SQL events. Those events include a logon event that gives us a NetBIOS host name and maps it to a session ID. Subsequent requests on that session ID are mapped to the original logon hostname. For all events, that host name is resolved to an IPv4 address. From what we see, the events that are being seen are SQL Telemetry account, which is using the APIPA address (failover cluster address). The address resolution method that Change Auditor currently uses gets all IPv4 addresses assigned to the host and currently returns the first one, as APIPA address assignments for cluster nodes weren't considered in the original design.
Risoluzione

The Product team has identified and logged this as a product defect with ID 571878, to filter out APIPA addresses if an IPV4 address in any other subnet is available (similar to how we filter events with 127.0.0.0 as the IP address).

WORKAROUND:

None. Please note that if this is currently impacting your SIEM forwarding automated data digestion strategy, you should accommodate your SIEM automation scripts to use another of the available forwarded mapped columns that contains the actual IP address of the host instead of the usual which is Origin IPv4:

https://support.quest.com/technical-documents/change-auditor/siem-integration-user-guide/
ID difetto

571878

Feedback inviato

Questo articolo ti è servito per risolvere il problema?

Seleziona valutazione

Request a KB Article

Contenuti consigliati

Prodotto/i:: Change Auditor
7.6, 7.5, 7.4

Argomento/i:: Configuration, Troubleshooting, Installation

Cronologia articoli:: Data di creazione: 7/29/2025
Ultimo aggiornamento: 7/29/2025

Cerca in tutti gli articoli

Seleziona il prodotto:

Per una maggiore efficacia, compilare l'Obiettivo della chat:

Soluzioni consigliate per il problema

Audit events are not properly matching the source IP address information due to APIPA addresses on clustered Windows Servers (with ot without clustered SQL Servers) (4380178)

Titolo

Descrizione

Causa

Risoluzione

ID difetto

Leave a Comment