RE: Windows Log



http://www.ultimatewindowssecurity.com/codesheet.asp

That is a link to a pdf "cheat sheet" of all the login types.

Type2 = Interactive (Keyboard)
Type3 = Network
Type4 = Batch
Type5 = Services
Type7 = Unlock
Etc...

Hth,

Joe
-----Original Message-----
From: Nick Duda [mailto:nduda@xxxxxxxxxxxxxx]
Sent: Thursday, January 19, 2006 9:56 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Windows Log


To continue this topic, I'm faced with the same thing....

The problem is that with all these event id's 672, 673, 540...etc there is still no positive way to say , when a user logged on (via cntrl,alt delete) and logged off, as in shutdown or log off.


My goal, is to use syslog or some other form of monitoring to keep records of each employees logon/logoff of a PC physically on the network. I've been knee deep into all these event id's and nothing is accurate.


Please help.

-----Original Message-----
From: List Spam [mailto:listspam@xxxxxxxxx]

Sent: Tuesday, January 17, 2006 10:08 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Windows Log

There are many types of logins that can be performed in an an AD
environment. Among these are full desktop logins by a user (aka
interactive login), non-interactive network logins (e.g. mount a
share), computer accounts authenticating to the domain, etc.

I would venture a guess that you don't want to disallow the ability to
log other security events, but want to easily find login events of
some type (see above) without having to wade through the full set of
logged data. If this is the case, you could simply filter the logs to
show the event id that is specific to the action you are looking to
see.

You could use the built-in "Event Viewer" application for it,
EventCombMT (Google it), one of the resource kit log dumping
utilitities, VBScripts, or just about anything else to export this
info. Some VBScript examples are below:

http://www.microsoft.com/technet/scriptcenter/scripts/logs/eventlog/defaultmspx

I dare say that if you're trying to audit security on a box, you don't
want to hack up the data collection facility, but want to simply get
better use from that data.

My two cetns.

On 1/16/06, Rod <rod.rio@xxxxxxxxx> wrote:
> Hi all,
>
> I have a Win2k Server, who is my Domain Controller, and I'd like it to
> log only the LOGON/LOGOFF events. I know that there are a whole class
> of logon/logoff events, but I´d like to log only when a user logon
> into a machine in the domain.
>
> Hope I was clear... thx
>
>
> --
> Rodrigo M. T. Fernandez
> Departamento de Ciência da Computação UFRJ
> Grupo de Respostas a Incidentes de Segurança - GRIS UFRJ
> www.dcc.ufrj.br | www.gris.dcc.ufrj.br
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity Planning,
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------------
>
>

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management

education and the case study affords you unmatched consulting experience.

Tailor your education to your own professional goals with degree

customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------




---------------------
Confidentiality note:
The information in this email and any attachment may contain

confidential and proprietary information of VistaPrint and/or

its affiliates and may be privileged or otherwise protected

from disclosure. If you are not the intended recipient,

you are hereby notified that any review, reliance or distribution

by others or forwarding without express permission is strictly

prohibited and may cause liability. In case you have received this
message due to an error in transmission, please notify the sender

immediately and to delete this email and any attachment from your

system.
---------------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------