On Fri, 27 Jun 2003, Bruno Osuch wrote:
> > Hello. My supervisor has asked me to start monitoring bad or failed logon
> > attempts for users. I set up auditting but the "windows Event viewer"
> does
> > not give me the proper data. I am running NT 4 server sp6a. The column
> for
> > username just gives me "system" & the computer description is always the
> > $pdc" computer name. I have to open each event in "details" to get the
> info
> > for individuals. When I "export" the data to xls I still only get the
> > generic data NOT the detailed info I need to determine the "username &
> > computer" the failed attempts are comming from. Any way to do this? Or
> > what am I missing here?
you're in a windows NT environment, right? and clearly there's a domain
involved. it sounds like you've enabled login auditing on the primary
domain controller. unfortunately, on an NT 4 domain, the events for user
login and logout are only recorded on the local workstations, not on the
domain controller.
so you can either grab logs from all your workstations, or upgrade to
win2k that records domain logins at the domain controller.
i'll see if i can find a reference to this, but i've got to go to a
meeting...
HTH -- tbird
--
I was being patient, but it took too long.
-- Anya, BtVS
http://www.shmoo.com/~tbird
Log Analysis http://www.loganalysis.org
VPN http://vpn.shmoo.com
tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jun 27 2003 - 09:01:21 PDT