![]() ![]() ĭoes anyone has the same Problem with domain user logging? I simply Log all my DC's and thought i could catch all Logon and Logoff actions in my Domain. That means ive got an EventCode 4624 generatet on every Logon i do on a Server (and force a user specific GPO Update Force) which comes on every 90 minutes (depending on your configuration on how often the GPO should Update) and gets a Logoff Event when the Update is done. That's because not the Logon from the user is generating the Logon Event 4624 - the Update from GPO does this. a few minutes later all the Logon_ID's are marked as Logoff ( From EventCode 4634) even the connection is still established. Sometimes more than 4 Events are generated when logging on a System. The second problem is way worse, and that is something i found out through solving that problem.Ī Logon Event on a DC is not like you think it is. Account_Name=server-evermann EventCode=4624 | eval logid=mvindex(Logon_ID, 1) | search NOT | table _time, logid, Source_Network_Address, host | sort - _time Its not a search query for Real Time searches but it kinda does its work. Here every Event is kicked out who has the logon id in EventCode 4634. I have found out that i can have a NOT search as subsearch. Then there was no success so i tried another query: index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-evermann In particular, this will find the starting delivery events for this address, like the third log line shown above. ![]() Different events from different sources from the same host. Transactions can include: Different events from the same source and the same host. A transaction type is a transaction that has been configured in nf and saved as a field. indexmail sourcetypeqmailcurrent recipienthost.tld. A transaction is a group of conceptually-related events that spans time. First, lets start with a simple Splunk search for the recipient address. | table _time, User, EventCode, Keep_Or_Not, LogonID_4624, LogonID_4634, Source_Network_Address, IP_RESOLVED, tag::app Use a subsearch to narrow down relevant events. | eval logid=if(mvcount(Logon_ID)>1, mvindex(Logon_ID,1),mvindex(Logon_ID,0)) The major Problem here is that the EventCodes for Login and Logoff dealing with LogonIDs. but i cannot separate only EventCode 4625 Events who has no EventCode 4634 Event. | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) I simply will audit our Administrators on which Systems they are logged on right now. I will sort out every Logon Event (and Logoff Event) which has a specific Logoff Event.įirst i tryed this way index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-* The major Problem here is that the EventCodes for Login and Logoff dealing with Logon_ID's I simply will audit our Administrators on which Systems they are logged on right now.īut i cannot separate only EventCode 4625 Events who has no EventCode 4634 Event. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |