RE: [logs] FW: Windows Auditing question

From: Eric Fitzgerald (ericfat_private)
Date: Wed Jul 02 2003 - 11:01:12 PDT

  • Next message: Rainer Gerhards: "[logs] Novell NetWare Log Files"

    Tina's statement is correct, but I think Bruno's problem is slightly
    different- he wants to filter a single machine's log on an insertion
    string.
    
    Using WMI, you can directly access an event's insertion strings,
    enabling the query you're asking about.  Here's some sample VBScript
    that will get you the first 90% of the way, the second 90% is up to you.
    No, I won't give any further programming assistance 'cause it took me
    too long to figure this out myself :-)
    
    ---CUT HERE---
    'security
    On Error Resume Next
    strComputer = "."
    
    Set objWMIService =
    GetObject("winmgmts:{impersonationLevel=impersonate,(security)}\\" &
    strComputer & "\root\cimv2")
    
    Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
    Where Logfile='Security'",,48)
    
    For Each objItem in colItems
        Wscript.Echo "Timestamp: " & objItem.TimeGenerated
        Wscript.Echo "User:      " & objItem.User
        Wscript.Echo "Computer:  " & objItem.ComputerName
        Wscript.Echo "Type:      " & objItem.Type
        Wscript.Echo "Source:    " & objItem.SourceName
        Wscript.Echo "Category:  " & objItem.CategoryString
        Wscript.Echo "Event ID:  " & objItem.EventIdentifier
        Wscript.Echo "Description:"
    
        for each insertString in objItem.InsertionStrings
    	WScript.Echo "     " & insertString
        next
    
        Wscript.Echo
    
    Next
    ---CUT HERE---
    
    Eric 
    
    The above message is provided "AS-IS" with no warranty, and confers no
    rights.
    
    
    
    -----Original Message-----
    From: loganalysis-bouncesat_private
    [mailto:loganalysis-bouncesat_private] On Behalf Of Tina Bird
    Sent: Friday, June 27, 2003 8:57 AM
    To: Bruno Osuch
    Cc: 'loganalysisat_private'
    Subject: Re: [logs] FW: Windows Auditing question
    
    
    On Fri, 27 Jun 2003, Bruno Osuch wrote:
    
    > > Hello.  My supervisor has asked me to start monitoring bad or failed
    
    > > logon attempts for users.  I set up auditting but the "windows Event
    viewer"
    > does
    > > not give me the proper data.  I am running NT 4 server sp6a.  The 
    > > column
    > for
    > > username just gives me "system" & the computer description is always
    
    > > the $pdc" computer name.  I have to open each event in "details" to 
    > > get the
    > info
    > > for individuals.  When I "export" the data to xls I still only get 
    > > the generic data NOT the detailed info I need to determine the 
    > > "username & computer" the failed attempts are comming from.  Any way
    
    > > to do this?  Or what am I missing here?
    
    you're in a windows NT environment, right?  and clearly there's a domain
    involved.  it sounds like you've enabled login auditing on the primary
    domain controller.  unfortunately, on an NT 4 domain, the events for
    user login and logout are only recorded on the local workstations, not
    on the domain controller.
    
    so you can either grab logs from all your workstations, or upgrade to
    win2k that records domain logins at the domain controller.
    
    i'll see if i can find a reference to this, but i've got to go to a
    meeting...
    
    HTH -- tbird
    
    --
    I was being patient, but it took too long.
                                                  -- Anya, BtVS
    
    http://www.shmoo.com/~tbird
    Log Analysis http://www.loganalysis.org
    VPN http://vpn.shmoo.com
    tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Jul 02 2003 - 13:27:45 PDT