Logon,logoff,locking in the event log

From Michael's Information Zone
Revision as of 10:38, 15 February 2018 by Michael.mast (talk | contribs)
Jump to navigation Jump to search

Purpose

To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain.

Enabling Printer Auditing via GPO

It appears that to enable print logging, using the built in logging function, you have to edit the registry to

  1. Enable the log[1]
  2. Tell the system the log exists.[2]



The following edits and additions are needed

  1. Update the following to 1 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\WINEVT\Channels \Microsoft-Windows-PrintService/Operational, entry Enabled)
  2. Create the following key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-PrintService/Operational)



Windows comes with an operational entry in event viewer for the Microsoft-Windows-PrintService event sub directory. However it gets overwritten with whatever you put into the key that you create. Not sure how it associates the key to print services since every other application has an operational entry, and the location of the key does not seem to corresponding to a particular service.
[3]

Moving Event Log Location

When moving the log file location, make sure to have proper permissions applied. In my case I wanted the forwarded events to be moved to a mounted drive with more space. As this was done I ran into an issue where the logs would not rotate. I was using a domain controller which prevented me from finding the eventlog security group, which was used for the traditional directory. Xcopy was able to replicate the permissions.[4]

xcopy C:\Windows\System32\winevt\Logs E:\Winevt\Logs /O /T

Collector and Forwarding

Initial attempt is made using a DC as the collector as it already had spare storage. [5]

  • Make sure that if you change the directory in which you store the forwarded log file, that permissions are set to allow full control to both the Local Service and Network Service accounts.
  • You do need to enable WinRM on the collector, in this case I am using a DC which already had it configured.
  • For machines that will forward security events, make sure the "Network Service" user account is added to the "Evcent Log Readers" security group.[6]

Notes

EventIDs

  • 4624 : All logon types
  • 4634 : An account was logged off.[7]
  • 4800 : The workstation was locked.[8]
  • 4801 : Workstation was unlocked
  • 4802 : Screen saver was invoked
  • 4803 : Screen saver was dismissed


Event Types

[9]

  • 2 : Interactive - A user logged on to this computer.
  • 3 : Network - A user or computer logged on to this computer from the network.
  • 4 : Batch - Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
  • 5 : Service - A service was started by the Service Control Manager.
  • 7 : Unlock - This workstation was unlocked.
  • 8 : NetworkCleartext - A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form.
  • 9 : NewCredentials - A caller cloned its current token and specified new credentials for outbound connections.
  • 10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.
  • 11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer.

Replacement Strings

Example

get-eventlog -logname 'Security' -InstanceID 4624 | select -Last 4 @{Label="value";Expression={$_.replacementStrings[5]}}


4624

  • Subject
    • 1 = Account name
    • 2 = Account Domain
    • 3 = Logon ID
  • New Logon
    • 4 = Security ID
    • 5 = Account Name
    • 6 = Account Domain
    • 7 = Logon ID
    • 12 = Logon GUID
  • Logon Type
    • 8 = Logon Type
  • Detailed Authentication Information
    • 9 = Logon Process
    • 10 = Authentication Package
  • Network Information
    • 11 = Workstation Name
    • 14 = Key Length
    • 18 = Source Network Address
    • 19 = Source Port
  • Process Information
    • 16 = Process ID
    • 17 = Process Name