Track Domain User Logons and Logoffs

Discussion in 'ASP .Net' started by =?iso-8859-1?Q?Bruno_Mendon=E7a?=, Jun 3, 2004.

  1. My boss asked me to build a program to create a report
    with logon/logoff events for all users within our windows
    domain. I'm using .Net to do so and decided to have a
    program running on the Domain Controler to listen to all
    new events and send them to a database. This last part I
    haven't worked on yet, cause I can't tell which events are
    relevant to write to the db and which are not.

    I have managed to listen to all the security log events on
    the DC with the following code:

    ManagementEventWatcher1.Query = New
    System.Management.EventQuery("SELECT * FROM
    __InstanceCreationEvent WITHIN 60 WHERE TargetInstance
    ISA ""Win32_N" & _
    "TLogEvent"" and TargetInstance.Logfile
    = ""Security""")
    ManagementEventWatcher1.Scope = New
    System.Management.ManagementScope("\\sededc01\root\CIMV2")

    Dim handler As New MyHandler

    AddHandler ManagementEventWatcher1.EventArrived,
    AddressOf handler.Arrived

    ' Start watching for events
    ManagementEventWatcher1.Start()


    This next Sub send the information of each event to the
    output window of vb.Net:

    Public Class MyHandler
    Public Sub Arrived(ByVal sender As Object, ByVal e
    As EventArrivedEventArgs)
    Dim mbo As ManagementBaseObject

    If Not IsDBNull(e.NewEvent.Properties
    ("TargetInstance")) Then
    mbo = CType(e.NewEvent.Properties
    ("TargetInstance").Value, ManagementBaseObject)

    If Not IsDBNull(mbo.Properties
    ("Message").Value) Then
    Console.WriteLine(mbo.Properties
    ("Message").Value)
    Console.WriteLine(mbo.Properties
    ("ComputerName").Value)
    Console.WriteLine(mbo.Properties
    ("Category").Value)
    Console.WriteLine(mbo.Properties
    ("EventCode").Value)
    Console.WriteLine(mbo.Properties
    ("User").Value)
    End If
    End If
    End Sub
    End Class

    My problem is how to interpret the events. There's new
    events every second, tons of them. And I'm sure we don't
    have people login on or off every second. Even if I limit
    my query to TargetInstance.EventCode = "538", I still get
    lots of events being generated, with very similar messages.

    Here are some output examples:

    Message: Successful Network Logon:
    User Name: CML2817$
    Domain: CMLOURES
    Logon ID: (0x0,0xED81BD)
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name:
    Computer: SEDEDC02
    Category: 2
    EventCode: 540
    User: CMLOURES\CML2817$

    CML2817$ is not a user, it's a computer of the domain. If
    this was a logon, who is the user?

    Message: User Logoff:
    User Name: CML298$
    Domain: CMLOURES
    Logon ID: (0x0,0xED81D4)
    Logon Type: 3
    Computer: SEDEDC02
    Category: 2
    EventCode: 538
    User: CMLOURES\CML298$

    If this was a logoff, who is the user?

    Is there any way to be sure that one specific event really
    is a logon (or logoff) to a computer, to what computer and
    what user did it?

    Bruno
     
    =?iso-8859-1?Q?Bruno_Mendon=E7a?=, Jun 3, 2004
    #1
    1. Advertisements

  2. In Kerberos, computers are actually logging in and out, as though they were
    users. That's what those "$" logins are. Kerberos provides two-way
    authentication, where the server can be sure who the client is, and the
    client can be sure who the server is.

    I believe the event log entry would more accurately say "Principal name"
    instead of "user name", as there can be other types of principal logging in.
     
    John Saunders, Jun 3, 2004
    #2
    1. Advertisements

  3. In Kerberos, computers are actually logging in and out,
    as though they were
    This are the properties I can access to:

    TargetInstance.Category
    TargetInstance.EventCode
    TargetInstance.EventIdentifier
    TargetInstance.EventType
    TargetInstance.RecordNumber
    TargetInstance.CategoryString
    TargetInstance.ComputerName
    TargetInstance.Logfile
    TargetInstance.Message
    TargetInstance.SourceName
    TargetInstance.Type
    TargetInstance.TimeGenerated
    TargetInstance.TimeWritten
    TargetInstance.User

    None of them has any additional information about the
    user, except for the ones I'm already outputing (Message
    and User)

    There is also the chance of creating a Management Event on
    the Server Explorer of vb.Net and have it listen to log
    events. Once you create a NT Event Log Query and start it,
    it automatically writes the events to the Output window
    and it display additional information. So I created one
    and started it. Very quickly I logged to Computer
    Dosinsads3 under bruno_mendonca, logged of and stoped the
    event query. Maybe 20 seconds went by and from the output
    genetrated I retrieved the events refering to either
    bruno_mendonca or Dosinsads3. There where 26! For a simple
    logon and logoff. I can't tell which one refers to the
    logon and which to the logoff...

    Here are 3 examples:

    1 -

    Category = 9; CategoryString = "Account Logon\n";
    ComputerName = "SEDEDC02"; EventCode = 673;
    InsertionStrings =
    {"bruno_mendonca", "CMLOURES.PT", "DOSINSADS3$", "%{S-1-5-
    21-195237392-612787311-312552118-
    5296}", "0x40810010", "0x17", "10.11.1.36"};
    Message = "Service Ticket Granted:\n\n\tUser
    Name:\t\tbruno_mendonca\n\n\tUser
    Domain:\t\tCMLOURES.PT\n\n\tService Name:\t\tDOSINSADS3
    $\n\n\tService ID:\t\t%{S-1-5-21-195237392-612787311-
    312552118-5296}\n\n\tTicket Options:\t\t0x40810010
    \n\n\tTicket Encryption Type:\t0x17\n\n\tClient
    Address:\t\t10.11.1.36\n\n";
    TimeGenerated = "20040603191448.000000+060"; Type
    = "audit success"; User = "NT
    AUTHORITY\\SYSTEM"; }; };


    2 -

    Category = 2; CategoryString = "Logon/Logoff\n";
    ComputerName = "SEDEDC02"; EventCode = 540;
    InsertionStrings =
    {"bruno_mendonca", "CMLOURES", "(0x0,0xEEDE5F)", "3", "Kerb
    eros", "Kerberos", ""};
    Message = "Successful Network Logon:\n\n\tUser
    Name:\tbruno_mendonca\n\n\tDomain:\t\tCMLOURES\n\n\tLogon
    ID:\t\t(0x0,0xEEDE5F)\n\n\tLogon Type:\t3\n\n\tLogon
    Process:\tKerberos\n\n\tAuthentication
    Package:\tKerberos\n\n\tWorkstation Name:\t\n";
    TimeGenerated = "20040603191448.000000+060"; Type
    = "audit success"; User
    = "CMLOURES\\bruno_mendonca"; }; };


    3 -

    Category = 2; CategoryString = "Logon/Logoff\n";
    ComputerName = "SEDEDC02"; EventCode = 540;
    InsertionStrings =
    {"bruno_mendonca", "CMLOURES", "(0x0,0xEEDE8F)", "3", "Kerb
    eros", "Kerberos", ""};
    Message = "Successful Network Logon:\n\n\tUser
    Name:\tbruno_mendonca\n\n\tDomain:\t\tCMLOURES\n\n\tLogon
    ID:\t\t(0x0,0xEEDE8F)\n\n\tLogon Type:\t3\n\n\tLogon
    Process:\tKerberos\n\n\tAuthentication
    Package:\tKerberos\n\n\tWorkstation Name:\t\n";
    TimeGenerated = "20040603191448.000000+060"; Type
    = "audit success"; User
    = "CMLOURES\\bruno_mendonca"; }; };


    The last 2 are identical!

    If you wish to see them all look at this 14kb .txt file:
    http://www.geocities.com/bmmpt/events.txt

    Thanks for the given help though.

    Bruno
     
    =?iso-8859-1?Q?Bruno_Mendon=E7a?=, Jun 3, 2004
    #3
  4. If you look carefully at the last two, you'll see that they have different
    logon ids.
     
    John Saunders, Jun 3, 2004
    #4
  5. =?iso-8859-1?Q?Bruno_Mendon=E7a?=

    Guest Guest

    If you look carefully at the last two, you'll see that
    they have different
    That's true, but that's the only difference, even the time
    is the exact same. I'm assuming they're related to the
    same event. And in the list of 26 events I mentioned
    before, there are more similar events to these two, where
    only the id and possibly the time change. If I was to
    consider them as logon events I'd be reporting say 6 or 7
    logons (for a period of less that 10 seconds) where really
    only one occurred.

    Bruno.
     
    Guest, Jun 4, 2004
    #5
  6. If I were you, I'd try to find documentation on those events somewhere. I
    wouldn't be so sure that two different login ids really mean only one login.
     
    John Saunders, Jun 4, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.