UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 4624 - An account was successfully logged on

Differing log formats

virginiac — Tue, 24 Apr 2012 11:00:34 GMT

We're collecting these Windows event logs (2008) with our SIEM solution (.png files attached).

Can anyone tell me why these logs look so different when they have the same event ID? I'm mainly curious about why:

... one log has a hex value for the field and the other has "Audit Success".
... one log is multi-line and the other is single-line.
... one log is missing ("An account was successfully logged on").
... the logs are in different formats (one looks like XML?).

Do I have some kind of odd setting enabled? Does anyone have any ideas?

Thank you in advance!

Event ID: 4624 - Anonymous Logon

mwade — Thu, 15 Oct 2009 16:15:39 GMT

Hello,

I have a system that many Event ID 4624 Successful (Anonmymous) Logon with the corresponding 4634 Logoff's. The account name is ANONYMOUS, with NO network information what so ever on any of the event entries with the account domain as NT AUTHORITY. There is a total of 1185 over a 12 month period.

These are all Logon Type 3 (network)

Are there any legitimate reasons for this? How come there is NO source IP or workstation name listed on any of these? This is on a Windows Vista system. There is an a IIS_Guest account, but the system is not suppose to be running a webservice. Though not sure how I can check. Is there any registry keys that would show this? All I have is a dead system image, and I can't boot it up.

Thanks,

Logon type 12 & 13?

Braino — Sat, 11 Feb 2012 00:21:31 GMT

Hi Randy,

I was digging through events in one of my labs and came across logon type 12 on some events (Event ID 4624). I had never heard of this logon type so I Googled it, and found reference to logon type 13 as well (althought I have not seen that logon type in my lab)

Logon type 12 is "CachedRemoteInteractive".

Logon type 13 is "CachedUnlock".

Have you seen these two logon types in the wild?

Many 4624 events (logon type 3) on DC from 1 user account within short time

stefan — Tue, 04 Oct 2011 21:46:00 GMT

Hello

On our DC I noticed lots of 4624 events (logon type 3) coming from a user account (not a computer account). Within 4.5 hours, this user logged in more than 100 times via the network, always from the same IP address, always using Kerberos as a logon process. In fact there are a few user accounts with similar behaviour.

What are possible reasons for this? The user's group policy only refreshes every 60 minutes and there are no mapped drives or open shares to the DC. Are there any other reasons for this event to be logged on a DC?

Thanks for your advice!

Tracking interactive logons

mns — Wed, 10 Mar 2010 17:47:43 GMT

I am trying to track interactive logons and am looking for the right mix. I did not really see that many of these log entries in the Windows 2008 DC that I have been looking through. Watched your webinar about the kerberos events and that looks promising but takes multiple events to process a logon. Not very easy with syslog parsing. What is the best way to go about determining the interactive logons in a Windows 2008 domain? Is it 4624? or is it 4768+4769?

Thanks,
Ed

Filter system logon events (type 3)

MrSampsonite — Sat, 02 Oct 2010 14:09:50 GMT

I have set up audit levels using auditpol. However I can't figure out how to log some logon events and not others. I want to log whenever a user logs into a machine interactively, remotely, via a share, batch, etc. But I don't want to log when a system accesses another system, especially when it's a system access a DC for replication or something.

If I go to my event viewer I have thousands of entries where the SID is anonymous or NULL, or it's DOMAINNAME \ SYSTEMNAME$ or it's SYSTEM but the account name is SYSTEMNAME$.

Annoyingly they are all of Logon Type 3. Is there no way to say "don't log all this extra stuff and just log regular access method events?"

Distinguishing 4624 Logon Events

Shockmeister — Fri, 01 Oct 2010 06:32:28 GMT

Hi,

I am writing an application (C#) to gather various data for users on a network. This includes the logon and logoff times, taken from the security log. My application retrieves 4624 and 4634 events and dumps them to a file. The problem here is that I get numerous 4624 events returned all around the same timestamp. My question is how do I distinguish which is the actual logon event for the user?

Thanks in advance,

Stephen

Remote Desktop Login Event ID's

blindstrum — Mon, 09 Aug 2010 11:01:25 GMT

I'm in the process of setting up my log appliance to report on RDP usage on a Windows 2008 R2 server. The problem I am having is that I'm not seeing any 4624 type 10 in the security log after a successful RDP connection. I have auditing enabled in Terminal Services configuration, but still nothing. Is there a different ID I should be looking for?

Thanks!

Brian

Tracking failed logons on a Windows 2008 DC

mns — Thu, 06 May 2010 13:44:25 GMT

We need to be able to track failed logon attempts on domain accounts from the logs on the DC. We are getting 4771 events now but there are no failure codes that I can find. Am I misssing something here? Is there additional logging that needs to be enabled to get these 4771 failures to show in the logs?