|
|
|
Forum Newbie
Group: Forum Members
Last Login: 1/21/2014 3:43:13 PM
Posts: 1,
Visits: 0
|
|
Hi,
I am trying to link Account logon events (672,673) etc events on my DC to associated logon events (540, etc) on the same server. I have tried to link them by looking for the same Logon_GUID and Logon_ID fields but they do not correlate. I have checked every single possible pair of 672/673 and 540 events in our log and none share the same Logon_GUID or Logon_ID.
Can someone tell me how I'm going wrong?
Thanks,
RU
|
|
|
|
|
Supreme Being
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237,
Visits: 0
|
|
| I don't believe that these events will necessarily link. 540 is a logon event while 672 and 673 is an authentication event. The Logon Guid in 540 is not documented so I wouldn't assume that it will correlate to any other events. Event ID 540 will be logged whether the account is a local SAM account or Domain Account. Events 672 and 673 are kerberos related so you won't be able to assume that these events can be correlated.
|
|
|
|