Track Domain User Logons and Logoffs

[=?iso-8859-1?Q?Bruno_Mendon=E7a?=]

My boss asked me to build a program to create a report
with logon/logoff events for all users within our windows
domain. I'm using .Net to do so and decided to have a
program running on the Domain Controler to listen to all
new events and send them to a database. This last part I
haven't worked on yet, cause I can't tell which events are
relevant to write to the db and which are not.

I have managed to listen to all the security log events on
the DC with the following code:

ManagementEventWatcher1.Query = New
System.Management.EventQuery("SELECT * FROM
__InstanceCreationEvent WITHIN 60 WHERE TargetInstance
ISA ""Win32_N" & _
"TLogEvent"" and TargetInstance.Logfile
= ""Security""")
ManagementEventWatcher1.Scope = New
System.Management.ManagementScope("\\sededc01\root\CIMV2")

Dim handler As New MyHandler

AddHandler ManagementEventWatcher1.EventArrived,
AddressOf handler.Arrived

' Start watching for events
ManagementEventWatcher1.Start()


This next Sub send the information of each event to the
output window of vb.Net:

Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e
As EventArrivedEventArgs)
Dim mbo As ManagementBaseObject

If Not IsDBNull(e.NewEvent.Properties
("TargetInstance")) Then
mbo = CType(e.NewEvent.Properties
("TargetInstance").Value, ManagementBaseObject)

If Not IsDBNull(mbo.Properties
("Message").Value) Then
Console.WriteLine(mbo.Properties
("Message").Value)
Console.WriteLine(mbo.Properties
("ComputerName").Value)
Console.WriteLine(mbo.Properties
("Category").Value)
Console.WriteLine(mbo.Properties
("EventCode").Value)
Console.WriteLine(mbo.Properties
("User").Value)
End If
End If
End Sub
End Class

My problem is how to interpret the events. There's new
events every second, tons of them. And I'm sure we don't
have people login on or off every second. Even if I limit
my query to TargetInstance.EventCode = "538", I still get
lots of events being generated, with very similar messages.

Here are some output examples:

Message: Successful Network Logon:
User Name: CML2817$
Domain: CMLOURES
Logon ID: (0x0,0xED81BD)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Computer: SEDEDC02
Category: 2
EventCode: 540
User: CMLOURES\CML2817$

CML2817$ is not a user, it's a computer of the domain. If
this was a logon, who is the user?

Message: User Logoff:
User Name: CML298$
Domain: CMLOURES
Logon ID: (0x0,0xED81D4)
Logon Type: 3
Computer: SEDEDC02
Category: 2
EventCode: 538
User: CMLOURES\CML298$

If this was a logoff, who is the user?

Is there any way to be sure that one specific event really
is a logon (or logoff) to a computer, to what computer and
what user did it?

Bruno

 

[John Saunders]

My boss asked me to build a program to create a report
with logon/logoff events for all users within our windows
domain. I'm using .Net to do so and decided to have a
program running on the Domain Controler to listen to all
new events and send them to a database. This last part I
haven't worked on yet, cause I can't tell which events are
relevant to write to the db and which are not.

I have managed to listen to all the security log events on
the DC with the following code:

ManagementEventWatcher1.Query = New
System.Management.EventQuery("SELECT * FROM
__InstanceCreationEvent WITHIN 60 WHERE TargetInstance
ISA ""Win32_N" & _
"TLogEvent"" and TargetInstance.Logfile
= ""Security""")
ManagementEventWatcher1.Scope = New
System.Management.ManagementScope("\\sededc01\root\CIMV2")

Dim handler As New MyHandler

AddHandler ManagementEventWatcher1.EventArrived,
AddressOf handler.Arrived

' Start watching for events
ManagementEventWatcher1.Start()


This next Sub send the information of each event to the
output window of vb.Net:

Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e
As EventArrivedEventArgs)
Dim mbo As ManagementBaseObject

If Not IsDBNull(e.NewEvent.Properties
("TargetInstance")) Then
mbo = CType(e.NewEvent.Properties
("TargetInstance").Value, ManagementBaseObject)

If Not IsDBNull(mbo.Properties
("Message").Value) Then
Console.WriteLine(mbo.Properties
("Message").Value)
Console.WriteLine(mbo.Properties
("ComputerName").Value)
Console.WriteLine(mbo.Properties
("Category").Value)
Console.WriteLine(mbo.Properties
("EventCode").Value)
Console.WriteLine(mbo.Properties
("User").Value)
End If
End If
End Sub
End Class

My problem is how to interpret the events. There's new
events every second, tons of them. And I'm sure we don't
have people login on or off every second. Even if I limit
my query to TargetInstance.EventCode = "538", I still get
lots of events being generated, with very similar messages.

Here are some output examples:

Message: Successful Network Logon:
User Name: CML2817$
Domain: CMLOURES
Logon ID: (0x0,0xED81BD)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Computer: SEDEDC02
Category: 2
EventCode: 540
User: CMLOURES\CML2817$

CML2817$ is not a user, it's a computer of the domain. If
this was a logon, who is the user?

Message: User Logoff:
User Name: CML298$
Domain: CMLOURES
Logon ID: (0x0,0xED81D4)
Logon Type: 3
Computer: SEDEDC02
Category: 2
EventCode: 538
User: CMLOURES\CML298$

If this was a logoff, who is the user?

Is there any way to be sure that one specific event really
is a logon (or logoff) to a computer, to what computer and
what user did it?

In Kerberos, computers are actually logging in and out, as though they were
users. That's what those "$" logins are. Kerberos provides two-way
authentication, where the server can be sure who the client is, and the
client can be sure who the server is.

I believe the event log entry would more accurately say "Principal name"
instead of "user name", as there can be other types of principal logging in.

 

[=?iso-8859-1?Q?Bruno_Mendon=E7a?=]

In Kerberos, computers are actually logging in and out,
as though they were

users. That's what those "$" logins are. Kerberos provides two-way
authentication, where the server can be sure who the client is, and the
client can be sure who the server is.

I believe the event log entry would more accurately say "Principal name"
instead of "user name", as there can be other types of principal logging in.

This are the properties I can access to:

TargetInstance.Category
TargetInstance.EventCode
TargetInstance.EventIdentifier
TargetInstance.EventType
TargetInstance.RecordNumber
TargetInstance.CategoryString
TargetInstance.ComputerName
TargetInstance.Logfile
TargetInstance.Message
TargetInstance.SourceName
TargetInstance.Type
TargetInstance.TimeGenerated
TargetInstance.TimeWritten
TargetInstance.User

None of them has any additional information about the
user, except for the ones I'm already outputing (Message
and User)

There is also the chance of creating a Management Event on
the Server Explorer of vb.Net and have it listen to log
events. Once you create a NT Event Log Query and start it,
it automatically writes the events to the Output window
and it display additional information. So I created one
and started it. Very quickly I logged to Computer
Dosinsads3 under bruno_mendonca, logged of and stoped the
event query. Maybe 20 seconds went by and from the output
genetrated I retrieved the events refering to either
bruno_mendonca or Dosinsads3. There where 26! For a simple
logon and logoff. I can't tell which one refers to the
logon and which to the logoff...

Here are 3 examples:

1 -

Category = 9; CategoryString = "Account Logon\n";
ComputerName = "SEDEDC02"; EventCode = 673;
InsertionStrings =
{"bruno_mendonca", "CMLOURES.PT", "DOSINSADS3$", "%{S-1-5-
21-195237392-612787311-312552118-
5296}", "0x40810010", "0x17", "10.11.1.36"};
Message = "Service Ticket Granted:\n\n\tUser
Name:\t\tbruno_mendonca\n\n\tUser
Domain:\t\tCMLOURES.PT\n\n\tService Name:\t\tDOSINSADS3
$\n\n\tService ID:\t\t%{S-1-5-21-195237392-612787311-
312552118-5296}\n\n\tTicket Options:\t\t0x40810010
\n\n\tTicket Encryption Type:\t0x17\n\n\tClient
Address:\t\t10.11.1.36\n\n";
TimeGenerated = "20040603191448.000000+060"; Type
= "audit success"; User = "NT
AUTHORITY\\SYSTEM"; }; };


2 -

Category = 2; CategoryString = "Logon/Logoff\n";
ComputerName = "SEDEDC02"; EventCode = 540;
InsertionStrings =
{"bruno_mendonca", "CMLOURES", "(0x0,0xEEDE5F)", "3", "Kerb
eros", "Kerberos", ""};
Message = "Successful Network Logon:\n\n\tUser
Name:\tbruno_mendonca\n\n\tDomain:\t\tCMLOURES\n\n\tLogon
ID:\t\t(0x0,0xEEDE5F)\n\n\tLogon Type:\t3\n\n\tLogon
Process:\tKerberos\n\n\tAuthentication
Package:\tKerberos\n\n\tWorkstation Name:\t\n";
TimeGenerated = "20040603191448.000000+060"; Type
= "audit success"; User
= "CMLOURES\\bruno_mendonca"; }; };


3 -

Category = 2; CategoryString = "Logon/Logoff\n";
ComputerName = "SEDEDC02"; EventCode = 540;
InsertionStrings =
{"bruno_mendonca", "CMLOURES", "(0x0,0xEEDE8F)", "3", "Kerb
eros", "Kerberos", ""};
Message = "Successful Network Logon:\n\n\tUser
Name:\tbruno_mendonca\n\n\tDomain:\t\tCMLOURES\n\n\tLogon
ID:\t\t(0x0,0xEEDE8F)\n\n\tLogon Type:\t3\n\n\tLogon
Process:\tKerberos\n\n\tAuthentication
Package:\tKerberos\n\n\tWorkstation Name:\t\n";
TimeGenerated = "20040603191448.000000+060"; Type
= "audit success"; User
= "CMLOURES\\bruno_mendonca"; }; };


The last 2 are identical!

If you wish to see them all look at this 14kb .txt file:
http://www.geocities.com/bmmpt/events.txt

Thanks for the given help though.

Bruno

 

[John Saunders]

This are the properties I can access to:

TargetInstance.Category
TargetInstance.EventCode
TargetInstance.EventIdentifier
TargetInstance.EventType
TargetInstance.RecordNumber
TargetInstance.CategoryString
TargetInstance.ComputerName
TargetInstance.Logfile
TargetInstance.Message
TargetInstance.SourceName
TargetInstance.Type
TargetInstance.TimeGenerated
TargetInstance.TimeWritten
TargetInstance.User

None of them has any additional information about the
user, except for the ones I'm already outputing (Message
and User)

There is also the chance of creating a Management Event on
the Server Explorer of vb.Net and have it listen to log
events. Once you create a NT Event Log Query and start it,
it automatically writes the events to the Output window
and it display additional information. So I created one
and started it. Very quickly I logged to Computer
Dosinsads3 under bruno_mendonca, logged of and stoped the
event query. Maybe 20 seconds went by and from the output
genetrated I retrieved the events refering to either
bruno_mendonca or Dosinsads3. There where 26! For a simple
logon and logoff. I can't tell which one refers to the
logon and which to the logoff...

Here are 3 examples:

1 -

Category = 9; CategoryString = "Account Logon\n";
ComputerName = "SEDEDC02"; EventCode = 673;
InsertionStrings =
{"bruno_mendonca", "CMLOURES.PT", "DOSINSADS3$", "%{S-1-5-
21-195237392-612787311-312552118-
5296}", "0x40810010", "0x17", "10.11.1.36"};
Message = "Service Ticket Granted:\n\n\tUser
Name:\t\tbruno_mendonca\n\n\tUser
Domain:\t\tCMLOURES.PT\n\n\tService Name:\t\tDOSINSADS3
$\n\n\tService ID:\t\t%{S-1-5-21-195237392-612787311-
312552118-5296}\n\n\tTicket Options:\t\t0x40810010
\n\n\tTicket Encryption Type:\t0x17\n\n\tClient
Address:\t\t10.11.1.36\n\n";
TimeGenerated = "20040603191448.000000+060"; Type
= "audit success"; User = "NT
AUTHORITY\\SYSTEM"; }; };


2 -

Category = 2; CategoryString = "Logon/Logoff\n";
ComputerName = "SEDEDC02"; EventCode = 540;
InsertionStrings =
{"bruno_mendonca", "CMLOURES", "(0x0,0xEEDE5F)", "3", "Kerb
eros", "Kerberos", ""};
Message = "Successful Network Logon:\n\n\tUser
Name:\tbruno_mendonca\n\n\tDomain:\t\tCMLOURES\n\n\tLogon
ID:\t\t(0x0,0xEEDE5F)\n\n\tLogon Type:\t3\n\n\tLogon
Process:\tKerberos\n\n\tAuthentication
Package:\tKerberos\n\n\tWorkstation Name:\t\n";
TimeGenerated = "20040603191448.000000+060"; Type
= "audit success"; User
= "CMLOURES\\bruno_mendonca"; }; };


3 -

Category = 2; CategoryString = "Logon/Logoff\n";
ComputerName = "SEDEDC02"; EventCode = 540;
InsertionStrings =
{"bruno_mendonca", "CMLOURES", "(0x0,0xEEDE8F)", "3", "Kerb
eros", "Kerberos", ""};
Message = "Successful Network Logon:\n\n\tUser
Name:\tbruno_mendonca\n\n\tDomain:\t\tCMLOURES\n\n\tLogon
ID:\t\t(0x0,0xEEDE8F)\n\n\tLogon Type:\t3\n\n\tLogon
Process:\tKerberos\n\n\tAuthentication
Package:\tKerberos\n\n\tWorkstation Name:\t\n";
TimeGenerated = "20040603191448.000000+060"; Type
= "audit success"; User
= "CMLOURES\\bruno_mendonca"; }; };


The last 2 are identical!

If you wish to see them all look at this 14kb .txt file:
http://www.geocities.com/bmmpt/events.txt

If you look carefully at the last two, you'll see that they have different
logon ids.

 

[Guest]

If you look carefully at the last two, you'll see that
they have different

logon ids.

That's true, but that's the only difference, even the time
is the exact same. I'm assuming they're related to the
same event. And in the list of 26 events I mentioned
before, there are more similar events to these two, where
only the id and possibly the time change. If I was to
consider them as logon events I'd be reporting say 6 or 7
logons (for a period of less that 10 seconds) where really
only one occurred.

Bruno.

 

[John Saunders]

That's true, but that's the only difference, even the time
is the exact same. I'm assuming they're related to the
same event. And in the list of 26 events I mentioned
before, there are more similar events to these two, where
only the id and possibly the time change. If I was to
consider them as logon events I'd be reporting say 6 or 7
logons (for a period of less that 10 seconds) where really
only one occurred.

If I were you, I'd try to find documentation on those events somewhere. I
wouldn't be so sure that two different login ids really mean only one login.