Mattk
Posts: 5
Score: 0
Joined: 20.Apr.2006
Status: offline
|
We are trying to find out who generated the logon event as well as the workstation they were using. I have created a test filter or query that looks at 2 of our 2k8 AD servers and filters out one of our service account names and filters out User names that are actually computer names. I get things back like this:
Event Origin Details:
Date: 5/5/2009
Time: 9:44:06 AM
Type: Success Audit
Username: EMERALDQUEEN\**********
Computer: I5SERVER
Source: Security
Category: Logon/Logoff
Event ID: 540
Internal Event ID: 8238898763
Rule Name: Successful Network Logon - during work hours
In Work Hours: Yes
Successful Network Logon:
User Name: *********
Domain: EMERALDQUEEN
Logon ID: (0x0,0x1DA205D)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {fd8705a8-4fa5-c607-5e1c-ab9d4b88f9a8}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.50.36
Source Port: 0
I have the user name ( I put the ****s) and I have the IP addresses, but I do not have a workstation name, and I really would like that!
Any ideas on what I can do or what I am doing wrong.
Here is the filter as it is right now.
(Event Equal to 644 OR Event Equal to 4740 or category contains ‘logon’ OR category contains ‘logoff’) AND ((Event equal to 528 OR Event Equal to 540 OR Event Equal to 4624 OR Event Equal To 4636)) AND (computer contains ‘fife-server’ OR Computer contains ‘i52k8’) AND Not user name contains ‘*****’ and NOT user name contains ‘$’
|
Printable Version
User login and workstation question - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread