Difference between revisions of "Logon,logoff,locking in the event log"

From Michael's Information Zone
Jump to navigation Jump to search
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Purpose==
 
==Purpose==
 
To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain.
 
To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain.
==Notes==
+
 
 
===Collector and Forwarding===
 
===Collector and Forwarding===
 
Initial attempt is made using a DC as the collector as it already had spare storage.
 
Initial attempt is made using a DC as the collector as it already had spare storage.
Line 7: Line 7:
 
*Make sure that if you change the directory in which you store the forwarded log file, that permissions are set to allow full control to both the Local Service and Network Service accounts.
 
*Make sure that if you change the directory in which you store the forwarded log file, that permissions are set to allow full control to both the Local Service and Network Service accounts.
 
*You do need to enable WinRM on the collector, in this case I am using a DC which already had it configured.
 
*You do need to enable WinRM on the collector, in this case I am using a DC which already had it configured.
*
+
*For machines that will forward security events, make sure the "Network Service" user account is added to the "Evcent Log Readers" security group.<ref>https://social.technet.microsoft.com/Forums/sharepoint/en-US/8434ffb3-1621-4bc5-8311-66d88b215886/how-to-collect-security-logs-using-event-forwarding?forum=winservergen</ref>
 +
 
 +
==Notes==
 +
 
  
 
===EventIDs===
 
===EventIDs===
Line 29: Line 32:
 
*10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.
 
*10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.
 
*11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer.
 
*11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer.
 +
 
===Replacement Strings===
 
===Replacement Strings===
 +
Example
 +
get-eventlog -logname 'Security' -InstanceID 4624 | select -Last 4 @{Label="value";Expression={$_.replacementStrings[5]}}
 +
<br>
 
4624
 
4624
 
*Subject
 
*Subject

Latest revision as of 10:31, 26 June 2019

Purpose

To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain.

Collector and Forwarding

Initial attempt is made using a DC as the collector as it already had spare storage. [1]

  • Make sure that if you change the directory in which you store the forwarded log file, that permissions are set to allow full control to both the Local Service and Network Service accounts.
  • You do need to enable WinRM on the collector, in this case I am using a DC which already had it configured.
  • For machines that will forward security events, make sure the "Network Service" user account is added to the "Evcent Log Readers" security group.[2]

Notes

EventIDs

  • 4624 : All logon types
  • 4634 : An account was logged off.[3]
  • 4800 : The workstation was locked.[4]
  • 4801 : Workstation was unlocked
  • 4802 : Screen saver was invoked
  • 4803 : Screen saver was dismissed


Event Types

[5]

  • 2 : Interactive - A user logged on to this computer.
  • 3 : Network - A user or computer logged on to this computer from the network.
  • 4 : Batch - Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
  • 5 : Service - A service was started by the Service Control Manager.
  • 7 : Unlock - This workstation was unlocked.
  • 8 : NetworkCleartext - A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form.
  • 9 : NewCredentials - A caller cloned its current token and specified new credentials for outbound connections.
  • 10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.
  • 11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer.

Replacement Strings

Example

get-eventlog -logname 'Security' -InstanceID 4624 | select -Last 4 @{Label="value";Expression={$_.replacementStrings[5]}}


4624

  • Subject
    • 1 = Account name
    • 2 = Account Domain
    • 3 = Logon ID
  • New Logon
    • 4 = Security ID
    • 5 = Account Name
    • 6 = Account Domain
    • 7 = Logon ID
    • 12 = Logon GUID
  • Logon Type
    • 8 = Logon Type
  • Detailed Authentication Information
    • 9 = Logon Process
    • 10 = Authentication Package
  • Network Information
    • 11 = Workstation Name
    • 14 = Key Length
    • 18 = Source Network Address
    • 19 = Source Port
  • Process Information
    • 16 = Process ID
    • 17 = Process Name