[logs] Re: Auditing User Network Login and Logoff information.

From: Ron Sweeney (sween@private)
Date: Sun Jul 31 2005 - 17:40:33 PDT


You can use eventriggers... (once you get them to appear in your 
Security Event Log.. double check your auditing is indeed turned on).

C:\>eventtriggers /create /eid:<eventid> /tr EventID /ru domain\you /rp 
password /tk "echo <eventid>, %COMPUTERNAME">>\\path\to\centralfile.out"

Im hoping there is a way to get more of the description in there...

This might help too:

 Event ID 529 : Unknown user name or bad password
 Event ID 530 : Logon time restriction violation
 Event ID 531 : Account disabled
 Event ID 532 : Account expired
 Event ID 533 : Workstation restriction - not allowed to logon at this 
computer
 Event ID 534 : Inadequate rights - as in user account attempting 
console login to server
 Event ID 535 : Password expired
 Event ID 536 : NetLogon service down
 Event ID 537 : unexpected error - the who knows ??? factor
 Event ID 539 : Logon Failure: Account locked out
 Event ID 627 : NT AUTHORITY\ANONYMOUS is trying to change a password
 Event ID 644 : User account Locked out


Varadarajam wrote:
> Hi,
>  
> I would like to know some information about this auditing logon
> events. I enabled audit account logon events in my Default Domain 
> Policy in my Domain Controller. I am getting some logs in Security 
> audit with event ID 538,540,672,673,680,517 like that. But i couldn't 
> able to find the Client Logon and Logoff information exactly. I have 
> checked lot of websites, its mentioning like 528 for Logon, 538 for 
> Logoff.  But i am not getting these events in my Security Log.  So, I 
> couldn't able find the client user exact network logon and 
> logoff information like, When did he logon to his computer and when did 
> he logoff from his computer like that information i would like to know.. 
> 
>  Kindly pls help me in this with the full and clear information.
> Varadarajam.P.V.
> Systems Administrator
> Softpro Systems Ltd.,
> Plot # 12, Softpro Heights,
> Software Units Layout
> Madhapur, Hyderabad - 500 081.
> Ph: 040- 23111793/23111806 Extn:2037
> Fax# 040- 23100385
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Sun Jul 31 2005 - 17:47:46 PDT