I saw your request for comments on the LogAnalysis mailing list, and thought I'd contribute the following experiences. While the logon type may be inaccurate in the 538 event, you can correlate to the associated 528 (Logon) event using the Logon ID which looks something like (0x0,0x5B45F1). This Logon ID is used for all security events occuring during that logon session, including the 538 event. I've also found that, for domain controllers and members servers, you will typically have fewer 538 events than 528 events. I believe this is attributed to users undocking/BSOD/powering off - where no actual logoff occurs - and the resources being used simply timeout. Thanks Gord T. ------------------------------------------------------------ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen. ============================================================ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jun 19 2003 - 10:17:22 PDT