Varadarajam: You need to enable logon/logoff auditing in local audit policy (secpol.msc, security settings, local policies, audit policy) or on the domain (Default Domain Policy and Default Domain Controllers Policy). Eric Fitzgerald Program Manager, Windows Core Security Microsoft Corporation 425-705-9601 -----Original Message----- From: loganalysis-bounces+ericf=windows.microsoft.com@private [mailto:loganalysis-bounces+ericf=windows.microsoft.com@private] On Behalf Of Ron Sweeney Sent: Sunday, July 31, 2005 5:41 PM Cc: loganalysis@private Subject: [logs] Re: Auditing User Network Login and Logoff information. You can use eventriggers... (once you get them to appear in your Security Event Log.. double check your auditing is indeed turned on). C:\>eventtriggers /create /eid:<eventid> /tr EventID /ru domain\you /rp password /tk "echo <eventid>, %COMPUTERNAME">>\\path\to\centralfile.out" Im hoping there is a way to get more of the description in there... This might help too: * Event ID 529 : Unknown user name or bad password * Event ID 530 : Logon time restriction violation * Event ID 531 : Account disabled * Event ID 532 : Account expired * Event ID 533 : Workstation restriction - not allowed to logon at this computer * Event ID 534 : Inadequate rights - as in user account attempting console login to server * Event ID 535 : Password expired * Event ID 536 : NetLogon service down * Event ID 537 : unexpected error - the who knows ??? factor * Event ID 539 : Logon Failure: Account locked out * Event ID 627 : NT AUTHORITY\ANONYMOUS is trying to change a password * Event ID 644 : User account Locked out Varadarajam wrote: > Hi, > > I would like to know some information about this auditing logon > events. I enabled audit account logon events in my Default Domain > Policy in my Domain Controller. I am getting some logs in Security > audit with event ID 538,540,672,673,680,517 like that. But i couldn't > able to find the Client Logon and Logoff information exactly. I have > checked lot of websites, its mentioning like 528 for Logon, 538 for > Logoff. But i am not getting these events in my Security Log. So, I > couldn't able find the client user exact network logon and logoff > information like, When did he logon to his computer and when did he > logoff from his computer like that information i would like to know.. > > Kindly pls help me in this with the full and clear information. > Varadarajam.P.V. > Systems Administrator > Softpro Systems Ltd., > Plot # 12, Softpro Heights, > Software Units Layout > Madhapur, Hyderabad - 500 081. > Ph: 040- 23111793/23111806 Extn:2037 > Fax# 040- 23100385 > > > ---------------------------------------------------------------------- > -- > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Aug 08 2005 - 15:30:56 PDT