RE: user name from security logs

From: dave kleiman (dave_at_isecureu.com)
Date: 05/26/05

  • Next message: Justin_Andrusk_at_Progressive.com: "Re: help , scripting for security" 
    To: "'Peter Rodger'" <prodger2008@yahoo.com>, <security-basics@securityfocus.com>
Date: Thu, 26 May 2005 16:16:16 -0400

    Download Log Parser at
    http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-
    91b2-f8d975cf8c07&displaylang=en

    Install it.

    Cut and paste this into notepad and save it as Logons.sql in the Log Parser
    directory

    -------------snip-------------------------

    SELECT
           TimeGenerated AS TimeGenerated,
           TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS SourceAddress,
           TO_LOWERCASE(EXTRACT_TOKEN(Strings,0,'|')) AS User,
           TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS WorkStation,
           TO_LOWERCASE(EXTRACT_TOKEN(Strings,9,'|')) AS CallerDomain,
           CASE TO_INT(EXTRACT_TOKEN(Strings,3,'|'))
                  WHEN 2 THEN '2=Interactive'
                  WHEN 3 THEN '3=Network'
                  WHEN 4 THEN '4=Batch'
                  WHEN 5 THEN '5=Service'
                  WHEN 6 THEN '6=Proxy'
                  WHEN 7 THEN '7=Unlock'
                  WHEN 8 THEN '8=NetworkCleartext'
                  WHEN 9 THEN '9=NewCredentials'
                  WHEN 10 THEN '10=RemoteInteractive'
                  WHEN 11 THEN '11=CachedInteractive'
                  WHEN 12 THEN '13=CachedRemoteInteractive'
                  WHEN 13 THEN '14=CachedUnlock'
           END AS Type
    INTO Logon.csv
    FROM security
    WHERE
           (EventID IN (528; 538; 540; 551; 552))
           AND
           (SourceAddress IS NOT NULL)
    GROUP BY User,SourceAddress,CallerDomain,WorkStation,TimeGenerated,Type
    ORDER BY TimeGenerated ASC

    -------------snip-------------------------

    At the command prompt in the Log Parser directory:
    logparser file: Logons.sql

    It will create Logon.csv in that directory.

    For some really incredible Log Parsing scripts and techniques take a look at
    Microsoft Log Parser Toolkit:
    http://www.syngress.com/catalog/?pid=3110

    Kind Regards,

    ________________________________________________________
    Dave Kleiman, CAS, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE

    www.SecurityBreachResponse.com www.ComputerForensicInvestigations.com
     

    > -----Original Message-----
    > From: Peter Rodger [mailto:prodger2008@yahoo.com]
    > Sent: Tuesday, May 24, 2005 13:04
    > To: security-basics@securityfocus.com
    > Subject: user name from security logs
    >
    > Hi, all
    >
    > Is there any way or any tools that we can find out which user
    > logon or logoff from the network at specifc time through
    > Windows 2000 security logs instead of going through each security log?
    >
    > Thanks in advance,
    >
    > Peter
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Tired of spam? Yahoo! Mail has the best spam protection
    > around http://mail.yahoo.com
    >
    >

  • Next message: Justin_Andrusk_at_Progressive.com: "Re: help , scripting for security"

    Relevant Pages

    • RE: audit user logon activity
      ... security logs. ... Event ID 528 is a logon event. ... Do You Yahoo!? ... Mail has the best spam protection around ...
      (Security-Basics)
    • Re: user name from security logs
      ... GFI SELM works well for this, and has a freeware mode for one box. ... > security logs instead of going through each security ... > Do You Yahoo!? ... Mail has the best spam protection around ...
      (Security-Basics)
    • user name from security logs
      ... security logs instead of going through each security ... Do You Yahoo!? ... Mail has the best spam protection around ...
      (Security-Basics)