[logs] Re: Auditing User Network Login and Logoff information.

From: Eric Fitzgerald (ericf@private)
Date: Fri Aug 05 2005 - 13:07:51 PDT


Varadarajam:

You need to enable logon/logoff auditing in local audit policy
(secpol.msc, security settings, local policies, audit policy) or on the
domain (Default Domain Policy and Default Domain Controllers Policy).

Eric Fitzgerald
Program Manager, Windows Core Security
Microsoft Corporation
425-705-9601

-----Original Message-----
From: loganalysis-bounces+ericf=windows.microsoft.com@private
[mailto:loganalysis-bounces+ericf=windows.microsoft.com@private]
On Behalf Of Ron Sweeney
Sent: Sunday, July 31, 2005 5:41 PM
Cc: loganalysis@private
Subject: [logs] Re: Auditing User Network Login and Logoff information.

You can use eventriggers... (once you get them to appear in your
Security Event Log.. double check your auditing is indeed turned on).

C:\>eventtriggers /create /eid:<eventid> /tr EventID /ru domain\you /rp
password /tk "echo <eventid>, %COMPUTERNAME">>\\path\to\centralfile.out"

Im hoping there is a way to get more of the description in there...

This might help too:

* Event ID 529 : Unknown user name or bad password * Event ID 530 :
Logon time restriction violation * Event ID 531 : Account disabled *
Event ID 532 : Account expired * Event ID 533 : Workstation restriction
- not allowed to logon at this computer * Event ID 534 : Inadequate
rights - as in user account attempting console login to server * Event
ID 535 : Password expired * Event ID 536 : NetLogon service down * Event
ID 537 : unexpected error - the who knows ??? factor * Event ID 539 :
Logon Failure: Account locked out * Event ID 627 : NT
AUTHORITY\ANONYMOUS is trying to change a password * Event ID 644 : User
account Locked out


Varadarajam wrote:
> Hi,
>  
> I would like to know some information about this auditing logon 
> events. I enabled audit account logon events in my Default Domain 
> Policy in my Domain Controller. I am getting some logs in Security 
> audit with event ID 538,540,672,673,680,517 like that. But i couldn't 
> able to find the Client Logon and Logoff information exactly. I have 
> checked lot of websites, its mentioning like 528 for Logon, 538 for 
> Logoff.  But i am not getting these events in my Security Log.  So, I 
> couldn't able find the client user exact network logon and logoff 
> information like, When did he logon to his computer and when did he 
> logoff from his computer like that information i would like to know..
> 
>  Kindly pls help me in this with the full and clear information.
> Varadarajam.P.V.
> Systems Administrator
> Softpro Systems Ltd.,
> Plot # 12, Softpro Heights,
> Software Units Layout
> Madhapur, Hyderabad - 500 081.
> Ph: 040- 23111793/23111806 Extn:2037
> Fax# 040- 23100385
> 
> 
> ----------------------------------------------------------------------
> --
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Mon Aug 08 2005 - 15:30:56 PDT