?
=?iso-8859-1?Q?Bruno_Mendon=E7a?=
My boss asked me to build a program to create a report
with logon/logoff events for all users within our windows
domain. I'm using .Net to do so and decided to have a
program running on the Domain Controler to listen to all
new events and send them to a database. This last part I
haven't worked on yet, cause I can't tell which events are
relevant to write to the db and which are not.
I have managed to listen to all the security log events on
the DC with the following code:
ManagementEventWatcher1.Query = New
System.Management.EventQuery("SELECT * FROM
__InstanceCreationEvent WITHIN 60 WHERE TargetInstance
ISA ""Win32_N" & _
"TLogEvent"" and TargetInstance.Logfile
= ""Security""")
ManagementEventWatcher1.Scope = New
System.Management.ManagementScope("\\sededc01\root\CIMV2")
Dim handler As New MyHandler
AddHandler ManagementEventWatcher1.EventArrived,
AddressOf handler.Arrived
' Start watching for events
ManagementEventWatcher1.Start()
This next Sub send the information of each event to the
output window of vb.Net:
Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e
As EventArrivedEventArgs)
Dim mbo As ManagementBaseObject
If Not IsDBNull(e.NewEvent.Properties
("TargetInstance")) Then
mbo = CType(e.NewEvent.Properties
("TargetInstance").Value, ManagementBaseObject)
If Not IsDBNull(mbo.Properties
("Message").Value) Then
Console.WriteLine(mbo.Properties
("Message").Value)
Console.WriteLine(mbo.Properties
("ComputerName").Value)
Console.WriteLine(mbo.Properties
("Category").Value)
Console.WriteLine(mbo.Properties
("EventCode").Value)
Console.WriteLine(mbo.Properties
("User").Value)
End If
End If
End Sub
End Class
My problem is how to interpret the events. There's new
events every second, tons of them. And I'm sure we don't
have people login on or off every second. Even if I limit
my query to TargetInstance.EventCode = "538", I still get
lots of events being generated, with very similar messages.
Here are some output examples:
Message: Successful Network Logon:
User Name: CML2817$
Domain: CMLOURES
Logon ID: (0x0,0xED81BD)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Computer: SEDEDC02
Category: 2
EventCode: 540
User: CMLOURES\CML2817$
CML2817$ is not a user, it's a computer of the domain. If
this was a logon, who is the user?
Message: User Logoff:
User Name: CML298$
Domain: CMLOURES
Logon ID: (0x0,0xED81D4)
Logon Type: 3
Computer: SEDEDC02
Category: 2
EventCode: 538
User: CMLOURES\CML298$
If this was a logoff, who is the user?
Is there any way to be sure that one specific event really
is a logon (or logoff) to a computer, to what computer and
what user did it?
Bruno
with logon/logoff events for all users within our windows
domain. I'm using .Net to do so and decided to have a
program running on the Domain Controler to listen to all
new events and send them to a database. This last part I
haven't worked on yet, cause I can't tell which events are
relevant to write to the db and which are not.
I have managed to listen to all the security log events on
the DC with the following code:
ManagementEventWatcher1.Query = New
System.Management.EventQuery("SELECT * FROM
__InstanceCreationEvent WITHIN 60 WHERE TargetInstance
ISA ""Win32_N" & _
"TLogEvent"" and TargetInstance.Logfile
= ""Security""")
ManagementEventWatcher1.Scope = New
System.Management.ManagementScope("\\sededc01\root\CIMV2")
Dim handler As New MyHandler
AddHandler ManagementEventWatcher1.EventArrived,
AddressOf handler.Arrived
' Start watching for events
ManagementEventWatcher1.Start()
This next Sub send the information of each event to the
output window of vb.Net:
Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e
As EventArrivedEventArgs)
Dim mbo As ManagementBaseObject
If Not IsDBNull(e.NewEvent.Properties
("TargetInstance")) Then
mbo = CType(e.NewEvent.Properties
("TargetInstance").Value, ManagementBaseObject)
If Not IsDBNull(mbo.Properties
("Message").Value) Then
Console.WriteLine(mbo.Properties
("Message").Value)
Console.WriteLine(mbo.Properties
("ComputerName").Value)
Console.WriteLine(mbo.Properties
("Category").Value)
Console.WriteLine(mbo.Properties
("EventCode").Value)
Console.WriteLine(mbo.Properties
("User").Value)
End If
End If
End Sub
End Class
My problem is how to interpret the events. There's new
events every second, tons of them. And I'm sure we don't
have people login on or off every second. Even if I limit
my query to TargetInstance.EventCode = "538", I still get
lots of events being generated, with very similar messages.
Here are some output examples:
Message: Successful Network Logon:
User Name: CML2817$
Domain: CMLOURES
Logon ID: (0x0,0xED81BD)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Computer: SEDEDC02
Category: 2
EventCode: 540
User: CMLOURES\CML2817$
CML2817$ is not a user, it's a computer of the domain. If
this was a logon, who is the user?
Message: User Logoff:
User Name: CML298$
Domain: CMLOURES
Logon ID: (0x0,0xED81D4)
Logon Type: 3
Computer: SEDEDC02
Category: 2
EventCode: 538
User: CMLOURES\CML298$
If this was a logoff, who is the user?
Is there any way to be sure that one specific event really
is a logon (or logoff) to a computer, to what computer and
what user did it?
Bruno