Quick Question about Capturing Logon/Logoff's... Expand / Collapse
Author
Message
Posted 7/7/2009 3:37:21 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/7/2009 3:25:35 PM
Posts: 4, Visits: 0
Hello,

What would be the best practice in trtrulyapturing the logon's/logoff's of a physical being. Withover 50 to 100 of these type event codes 538's, 528's and 540's it's hard determining what is what in our logs, so it's difficult to say when the user actually "physically" logging on or off of their machine. What would be the the best practice to interpret these entries if doing an audit on a user? Should we also obtain their SecEvent.EVT file from their local system as well? Thanks for you help.
Post #130
Posted 7/7/2009 5:15:22 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
You really need to monitor each local workstation for 528 (logon type 2) and 538/551.  Not want you want to hear but that is the really the only way.
Post #131
Posted 7/7/2009 6:52:34 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/7/2009 3:25:35 PM
Posts: 4, Visits: 0
Hi Randy, thanks for responding. So just to confirm what you have said, you literally have to pull the secEvent.EVT file from each system to truely get the most accurate logon/logoff results of a user?
Post #132
Posted 7/7/2009 7:08:17 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Yes, because it's only the workstation that really has knowledge of the user's logon session.  We can do a pretty good job of picking out initial workstation logons from domain controllers if you have multi-event correllation capabilities but it's not 100% correct and it only tells you about the initial logon - not the logoff at all.  Forget file servers.
Post #133
Posted 7/8/2009 9:50:20 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/7/2009 3:25:35 PM
Posts: 4, Visits: 0
Hi Randy, appreciate ya sticking with me on this, one last question. What we've discussed here I assume you already know I'm speaking about best practices for capturing logon/logoffs in a domain environment would this discussion still apply to that scenerio?
Post #134
Posted 7/8/2009 11:14:41 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Yes, domain environment was already assumed.  You see, there's really no such thing as "logging onto the domain".  When you logon to your workstation with a domain account, your workstation checks with the domain controller to authenticate you but your logon session is to the workstation itself.  The domain controller doesn't keep track of the fact you are logged on; it doesn't even know how you logged on in terms of interactive, network, remote desktop, schedule task, service, etc.
Post #135
Posted 7/8/2009 2:53:07 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/7/2009 3:25:35 PM
Posts: 4, Visits: 0
Thanks for your help Randy, you are the man!
Post #136
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 3:07am