|
|
|
Junior Member
 
Group: Forum Members
Last Login: 6/21/2010 2:44:06 PM
Posts: 10,
Visits: 29
|
|
I am trying to track interactive logons and am looking for the right mix. I did not really see that many of these log entries in the Windows 2008 DC that I have been looking through. Watched your webinar about the kerberos events and that looks promising but takes multiple events to process a logon. Not very easy with syslog parsing. What is the best way to go about determining the interactive logons in a Windows 2008 domain? Is it 4624? or is it 4768+4769?
Thanks,
Ed
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 324,
Visits: 0
|
|
| Interactive logons (event ID 4624/528 with logon type 2) are recorded on the workstation where the user logs on - not on the domain controller. So you either collect all your workstation logs or try to correlate the Kerberos event pattern to which you refer. Neither way is optimal I realize but that's all there is unless you buy 3rd party software.
|
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 6/21/2010 2:44:06 PM
Posts: 10,
Visits: 29
|
|
I am seeing 4768 events but am not seeing the following 3 4769 events per your webcast "Understanding Authentication Events in the Windows 2003 and 2008 Security Logs".
Is there additional auditing that needs to be enabled in order to save this or is this on by default in Windows 2008?
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 324,
Visits: 0
|
|
| It sounds like you don't have the Kerver Service Ticket Operations sub-category turned on. You'll need to use the auditpol command to turn this on on each DC unless you have Win2008 R2 domain controllers which provide a new folder in group policy for configuring audit subcategories.
|
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 6/21/2010 2:44:06 PM
Posts: 10,
Visits: 29
|
|
Just to clarify, I do see 4769 events but I do not see 3 of them. Normally I see 2 of them, one for the workstation and one for the DC. I do not see the matching 4769 krbtgt service name event.
Is it safe to say that if a 4769 event for krbtgt service name follows a 4768 request from a non-computer account (no $ on end) then it is an interactive logon?
If I were to generalize this for multiple domains, I am presuming that there is no way, from the logs, to know what is a DC, what is a File Server, what is an Exchange server, etc. without knowing these names ahead of time. Is that right?
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 324,
Visits: 0
|
|
| Interesting. Perhaps the pattern has changed on Win2008. Your generalization will not work because the pattern you described would also fit logons to applications like Exchange and Sharepoint. You need to see the authentication ticket (TGT/4768) event followed by a service ticket (4769) for the DC and then another for the computer. Without the 4769 for the DC you are dealing with a direct logon to an application like Exchange. The 4769 for the DC is triggered because the workstation has to look up group policy on behalf of the user which tells you it is an interactive logon. For most events there's no good way to just look at the event and determine if it's a DC or not. Of course these Kerberos events are only logged on DCs.
|
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 6/21/2010 2:44:06 PM
Posts: 10,
Visits: 29
|
|
| As a follow-up question on what I believe to be the same event id, how do I determine when a machine logged on to the network? I would like to gather a list of the computers and their IP addresses from these kerberos logs. This should be possible if I could understand the logs correctly.
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 324,
Visits: 0
|
|
| By "when a machine logged onto the network" I take you to mean when a Windows workstation or server booted up and access AD for application of Group Policy and other AD services - right? Not when a user logged in to that computer. For that scenario you need to use the Account Logon category, Kerberos Authentication Service subcategory, event ID 4768 where "Account Name:" is a computer name. You can identify computer names because they end in a dollar sign. Client address will give you the computer's IP
|
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 6/21/2010 2:44:06 PM
Posts: 10,
Visits: 29
|
|
| Perfect! That is exactly what I was looking for.
|
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 6/21/2010 2:44:06 PM
Posts: 10,
Visits: 29
|
|
I also need to get the failed attempts with username, date, time, IP address,etc.
As I understand it from your site and screencast, this should be event IDs 4771 and/or 4772. However, I see none of these in my logs.
If there an audit setting I need to enable to get these to show up?
|
|