See my blog for information on why the NetworkService events occur (read the post on Windows Server 2003 SP1 auditing changes). http://blogs.msdn.com/ericfitz/ Thanks, Eric -----Original Message----- From: loganalysis-bounces+ericf=windows.microsoft.com@private [mailto:loganalysis-bounces+ericf=windows.microsoft.com@private] On Behalf Of Frank Heyne Sent: Monday, June 27, 2005 11:05 PM To: loganalysis@private; Muhammad Khan Subject: [logs] Re: Windows XP Event 528 & 538 On 26 Jun 2005 at 11:44, Muhammad Khan wrote: > Hi, > Windows XP records event 528 for user logon and 538 for user logoff. > While looking into event-viewer I have seen that:- 1. In most of the > cases, the event 538 and 528 are recorded for the same time (i.e. time > of generation of event is same). Logically it should be different so > that one can track about the duration of system usage by a particular > user. If anyone can explain the logic behind them and how distinct > Logon ID could be used to correlate the logon and logon processes to > determine the system usage by different user. See http://www.heysoft.de/nt/eventlog/faqa1.htm#A8 > 2. A lot many events for ID 528 and 538 are generated for user name > Network Services and NT Authority. What is their utility. How can we > use them to track down auditing of system usage. You could try a tool I wrote for exactly this purpose - R528 from http://www.heysoft.de/nt/eventlog/ep-re.htm Frank Heyne _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Sat Jul 02 2005 - 09:42:04 PDT