Difference between revisions of "Logon,logoff,locking in the event log"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Purpose== | ==Purpose== | ||
To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain. | To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain. | ||
| − | + | ||
===Collector and Forwarding=== | ===Collector and Forwarding=== | ||
Initial attempt is made using a DC as the collector as it already had spare storage. | Initial attempt is made using a DC as the collector as it already had spare storage. | ||
| Line 7: | Line 7: | ||
*Make sure that if you change the directory in which you store the forwarded log file, that permissions are set to allow full control to both the Local Service and Network Service accounts. | *Make sure that if you change the directory in which you store the forwarded log file, that permissions are set to allow full control to both the Local Service and Network Service accounts. | ||
*You do need to enable WinRM on the collector, in this case I am using a DC which already had it configured. | *You do need to enable WinRM on the collector, in this case I am using a DC which already had it configured. | ||
| − | * | + | *For machines that will forward security events, make sure the "Network Service" user account is added to the "Evcent Log Readers" security group.<ref>https://social.technet.microsoft.com/Forums/sharepoint/en-US/8434ffb3-1621-4bc5-8311-66d88b215886/how-to-collect-security-logs-using-event-forwarding?forum=winservergen</ref> |
| + | |||
| + | ==Notes== | ||
| + | |||
===EventIDs=== | ===EventIDs=== | ||
| − | |||
*4624 : All logon types | *4624 : All logon types | ||
*4634 : An account was logged off.<ref>https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4634</ref> | *4634 : An account was logged off.<ref>https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4634</ref> | ||
| Line 30: | Line 32: | ||
*10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop. | *10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop. | ||
*11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer. | *11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer. | ||
| + | |||
===Replacement Strings=== | ===Replacement Strings=== | ||
| + | Example | ||
| + | get-eventlog -logname 'Security' -InstanceID 4624 | select -Last 4 @{Label="value";Expression={$_.replacementStrings[5]}} | ||
| + | <br> | ||
4624 | 4624 | ||
*Subject | *Subject | ||
Latest revision as of 10:31, 26 June 2019
Contents
Purpose
To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain.
Collector and Forwarding
Initial attempt is made using a DC as the collector as it already had spare storage. [1]
- Make sure that if you change the directory in which you store the forwarded log file, that permissions are set to allow full control to both the Local Service and Network Service accounts.
- You do need to enable WinRM on the collector, in this case I am using a DC which already had it configured.
- For machines that will forward security events, make sure the "Network Service" user account is added to the "Evcent Log Readers" security group.[2]
Notes
EventIDs
- 4624 : All logon types
- 4634 : An account was logged off.[3]
- 4800 : The workstation was locked.[4]
- 4801 : Workstation was unlocked
- 4802 : Screen saver was invoked
- 4803 : Screen saver was dismissed
Event Types
- 2 : Interactive - A user logged on to this computer.
- 3 : Network - A user or computer logged on to this computer from the network.
- 4 : Batch - Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
- 5 : Service - A service was started by the Service Control Manager.
- 7 : Unlock - This workstation was unlocked.
- 8 : NetworkCleartext - A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form.
- 9 : NewCredentials - A caller cloned its current token and specified new credentials for outbound connections.
- 10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.
- 11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer.
Replacement Strings
Example
get-eventlog -logname 'Security' -InstanceID 4624 | select -Last 4 @{Label="value";Expression={$_.replacementStrings[5]}}
4624
- Subject
- 1 = Account name
- 2 = Account Domain
- 3 = Logon ID
- New Logon
- 4 = Security ID
- 5 = Account Name
- 6 = Account Domain
- 7 = Logon ID
- 12 = Logon GUID
- Logon Type
- 8 = Logon Type
- Detailed Authentication Information
- 9 = Logon Process
- 10 = Authentication Package
- Network Information
- 11 = Workstation Name
- 14 = Key Length
- 18 = Source Network Address
- 19 = Source Port
- Process Information
- 16 = Process ID
- 17 = Process Name
- ↑ https://social.technet.microsoft.com/wiki/contents/articles/8223.windows-could-not-start-the-windows-event-log-service-on-local-computer-error-5-access-is-denied.aspx
- ↑ https://social.technet.microsoft.com/Forums/sharepoint/en-US/8434ffb3-1621-4bc5-8311-66d88b215886/how-to-collect-security-logs-using-event-forwarding?forum=winservergen
- ↑ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4634
- ↑ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
- ↑ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc787567(v=ws.10)
