Track Domain User Logons and Logoffs

"Bruno Mendonça" <an*******@disc ussions.microso ft.com> wrote in message
news:17******** *************** ******@phx.gbl. ..

My boss asked me to build a program to create a report
with logon/logoff events for all users within our windows
domain. I'm using .Net to do so and decided to have a
program running on the Domain Controler to listen to all
new events and send them to a database. This last part I
haven't worked on yet, cause I can't tell which events are
relevant to write to the db and which are not.

I have managed to listen to all the security log events on
the DC with the following code:

ManagementEvent Watcher1.Query = New
System.Manageme nt.EventQuery(" SELECT * FROM
__InstanceCreat ionEvent WITHIN 60 WHERE TargetInstance
ISA ""Win32_N" & _
"TLogEvent" " and TargetInstance. Logfile
= ""Security" "")
ManagementEvent Watcher1.Scope = New
System.Manageme nt.ManagementSc ope("\\sededc01 \root\CIMV2")

Dim handler As New MyHandler

AddHandler ManagementEvent Watcher1.EventA rrived,
AddressOf handler.Arrived

' Start watching for events
ManagementEvent Watcher1.Start( )
This next Sub send the information of each event to the
output window of vb.Net:

Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e
As EventArrivedEve ntArgs)
Dim mbo As ManagementBaseO bject

If Not IsDBNull(e.NewE vent.Properties
("TargetInstanc e")) Then
mbo = CType(e.NewEven t.Properties
("TargetInstanc e").Value, ManagementBaseO bject)

If Not IsDBNull(mbo.Pr operties
("Message").Val ue) Then
Console.WriteLi ne(mbo.Properti es
("Message").Val ue)
Console.WriteLi ne(mbo.Properti es
("ComputerName" ).Value)
Console.WriteLi ne(mbo.Properti es
("Category").Va lue)
Console.WriteLi ne(mbo.Properti es
("EventCode").V alue)
Console.WriteLi ne(mbo.Properti es
("User").Val ue)
End If
End If
End Sub
End Class

My problem is how to interpret the events. There's new
events every second, tons of them. And I'm sure we don't
have people login on or off every second. Even if I limit
my query to TargetInstance. EventCode = "538", I still get
lots of events being generated, with very similar messages.

Here are some output examples:

Message: Successful Network Logon:
User Name: CML2817$
Domain: CMLOURES
Logon ID: (0x0,0xED81BD)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Computer: SEDEDC02
Category: 2
EventCode: 540
User: CMLOURES\CML281 7$

CML2817$ is not a user, it's a computer of the domain. If
this was a logon, who is the user?

Message: User Logoff:
User Name: CML298$
Domain: CMLOURES
Logon ID: (0x0,0xED81D4)
Logon Type: 3
Computer: SEDEDC02
Category: 2
EventCode: 538
User: CMLOURES\CML298 $

If this was a logoff, who is the user?

Is there any way to be sure that one specific event really
is a logon (or logoff) to a computer, to what computer and
what user did it?

In Kerberos, computers are actually logging in and out, as though they were
users. That's what those "$" logins are. Kerberos provides two-way
authentication, where the server can be sure who the client is, and the
client can be sure who the server is.

I believe the event log entry would more accurately say "Principal name"
instead of "user name", as there can be other types of principal logging in.
--
John Saunders
johnwsaundersii i at hotmail

>In Kerberos, computers are actually logging in and out,
as though they were

users. That's what those "$" logins are. Kerberos provides two-wayauthentication , where the server can be sure who the client is, and theclient can be sure who the server is.

I believe the event log entry would more accurately say "Principal name"instead of "user name", as there can be other types of principal logging in.--
John Saunders
johnwsaundersi ii at hotmail

This are the properties I can access to:

TargetInstance. Category
TargetInstance. EventCode
TargetInstance. EventIdentifier
TargetInstance. EventType
TargetInstance. RecordNumber
TargetInstance. CategoryString
TargetInstance. ComputerName
TargetInstance. Logfile
TargetInstance. Message
TargetInstance. SourceName
TargetInstance. Type
TargetInstance. TimeGenerated
TargetInstance. TimeWritten
TargetInstance. User

None of them has any additional information about the
user, except for the ones I'm already outputing (Message
and User)

There is also the chance of creating a Management Event on
the Server Explorer of vb.Net and have it listen to log
events. Once you create a NT Event Log Query and start it,
it automatically writes the events to the Output window
and it display additional information. So I created one
and started it. Very quickly I logged to Computer
Dosinsads3 under bruno_mendonca, logged of and stoped the
event query. Maybe 20 seconds went by and from the output
genetrated I retrieved the events refering to either
bruno_mendonca or Dosinsads3. There where 26! For a simple
logon and logoff. I can't tell which one refers to the
logon and which to the logoff...

Here are 3 examples:

1 -

Category = 9; CategoryString = "Account Logon\n";
ComputerName = "SEDEDC02"; EventCode = 673;
InsertionString s =
{"bruno_mendonc a", "CMLOURES.P T", "DOSINSADS3 $", "%{S-1-5-
21-195237392-612787311-312552118-
5296}", "0x40810010 ", "0x17", "10.11.1.36 "};
Message = "Service Ticket Granted:\n\n\tU ser
Name:\t\tbruno_ mendonca\n\n\tU ser
Domain:\t\tCMLO URES.PT\n\n\tSe rvice Name:\t\tDOSINS ADS3
$\n\n\tService ID:\t\t%{S-1-5-21-195237392-612787311-
312552118-5296}\n\n\tTick et Options:\t\t0x4 0810010
\n\n\tTicket Encryption Type:\t0x17\n\n \tClient
Address:\t\t10. 11.1.36\n\n";
TimeGenerated = "20040603191448 .000000+060"; Type
= "audit success"; User = "NT
AUTHORITY\\SYST EM"; }; };
2 -

Category = 2; CategoryString = "Logon/Logoff\n";
ComputerName = "SEDEDC02"; EventCode = 540;
InsertionString s =
{"bruno_mendonc a", "CMLOURES", "(0x0,0xEEDE5F) ", "3", "Kerb
eros", "Kerberos", ""};
Message = "Successful Network Logon:\n\n\tUse r
Name:\tbruno_me ndonca\n\n\tDom ain:\t\tCMLOURE S\n\n\tLogon
ID:\t\t(0x0,0xE EDE5F)\n\n\tLog on Type:\t3\n\n\tL ogon
Process:\tKerbe ros\n\n\tAuthen tication
Package:\tKerbe ros\n\n\tWorkst ation Name:\t\n";
TimeGenerated = "20040603191448 .000000+060"; Type
= "audit success"; User
= "CMLOURES\\brun o_mendonca"; }; };
3 -

Category = 2; CategoryString = "Logon/Logoff\n";
ComputerName = "SEDEDC02"; EventCode = 540;
InsertionString s =
{"bruno_mendonc a", "CMLOURES", "(0x0,0xEEDE8F) ", "3", "Kerb
eros", "Kerberos", ""};
Message = "Successful Network Logon:\n\n\tUse r
Name:\tbruno_me ndonca\n\n\tDom ain:\t\tCMLOURE S\n\n\tLogon
ID:\t\t(0x0,0xE EDE8F)\n\n\tLog on Type:\t3\n\n\tL ogon
Process:\tKerbe ros\n\n\tAuthen tication
Package:\tKerbe ros\n\n\tWorkst ation Name:\t\n";
TimeGenerated = "20040603191448 .000000+060"; Type
= "audit success"; User
= "CMLOURES\\brun o_mendonca"; }; };
The last 2 are identical!

If you wish to see them all look at this 14kb .txt file:
http://www.geocities.com/bmmpt/events.txt

Thanks for the given help though.

Bruno

"Bruno Mendonça" <an*******@disc ussions.microso ft.com> wrote in message
news:17******** *************** ******@phx.gbl. ..

In Kerberos, computers are actually logging in and out,

as though they were

users. That's what those "$" logins are. Kerberos

provides two-way

authentication , where the server can be sure who the

client is, and the

client can be sure who the server is.

I believe the event log entry would more accurately

say "Principal name"

instead of "user name", as there can be other types of

principal logging in.

--
John Saunders
johnwsaundersi ii at hotmail

This are the properties I can access to:

TargetInstance. Category
TargetInstance. EventCode
TargetInstance. EventIdentifier
TargetInstance. EventType
TargetInstance. RecordNumber
TargetInstance. CategoryString
TargetInstance. ComputerName
TargetInstance. Logfile
TargetInstance. Message
TargetInstance. SourceName
TargetInstance. Type
TargetInstance. TimeGenerated
TargetInstance. TimeWritten
TargetInstance. User

None of them has any additional information about the
user, except for the ones I'm already outputing (Message
and User)

There is also the chance of creating a Management Event on
the Server Explorer of vb.Net and have it listen to log
events. Once you create a NT Event Log Query and start it,
it automatically writes the events to the Output window
and it display additional information. So I created one
and started it. Very quickly I logged to Computer
Dosinsads3 under bruno_mendonca, logged of and stoped the
event query. Maybe 20 seconds went by and from the output
genetrated I retrieved the events refering to either
bruno_mendonca or Dosinsads3. There where 26! For a simple
logon and logoff. I can't tell which one refers to the
logon and which to the logoff...

Here are 3 examples:

1 -

Category = 9; CategoryString = "Account Logon\n";
ComputerName = "SEDEDC02"; EventCode = 673;
InsertionString s =
{"bruno_mendonc a", "CMLOURES.P T", "DOSINSADS3 $", "%{S-1-5-
21-195237392-612787311-312552118-
5296}", "0x40810010 ", "0x17", "10.11.1.36 "};
Message = "Service Ticket Granted:\n\n\tU ser
Name:\t\tbruno_ mendonca\n\n\tU ser
Domain:\t\tCMLO URES.PT\n\n\tSe rvice Name:\t\tDOSINS ADS3
$\n\n\tService ID:\t\t%{S-1-5-21-195237392-612787311-
312552118-5296}\n\n\tTick et Options:\t\t0x4 0810010
\n\n\tTicket Encryption Type:\t0x17\n\n \tClient
Address:\t\t10. 11.1.36\n\n";
TimeGenerated = "20040603191448 .000000+060"; Type
= "audit success"; User = "NT
AUTHORITY\\SYST EM"; }; };
2 -

Category = 2; CategoryString = "Logon/Logoff\n";
ComputerName = "SEDEDC02"; EventCode = 540;
InsertionString s =
{"bruno_mendonc a", "CMLOURES", "(0x0,0xEEDE5F) ", "3", "Kerb
eros", "Kerberos", ""};
Message = "Successful Network Logon:\n\n\tUse r
Name:\tbruno_me ndonca\n\n\tDom ain:\t\tCMLOURE S\n\n\tLogon
ID:\t\t(0x0,0xE EDE5F)\n\n\tLog on Type:\t3\n\n\tL ogon
Process:\tKerbe ros\n\n\tAuthen tication
Package:\tKerbe ros\n\n\tWorkst ation Name:\t\n";
TimeGenerated = "20040603191448 .000000+060"; Type
= "audit success"; User
= "CMLOURES\\brun o_mendonca"; }; };
3 -

Category = 2; CategoryString = "Logon/Logoff\n";
ComputerName = "SEDEDC02"; EventCode = 540;
InsertionString s =
{"bruno_mendonc a", "CMLOURES", "(0x0,0xEEDE8F) ", "3", "Kerb
eros", "Kerberos", ""};
Message = "Successful Network Logon:\n\n\tUse r
Name:\tbruno_me ndonca\n\n\tDom ain:\t\tCMLOURE S\n\n\tLogon
ID:\t\t(0x0,0xE EDE8F)\n\n\tLog on Type:\t3\n\n\tL ogon
Process:\tKerbe ros\n\n\tAuthen tication
Package:\tKerbe ros\n\n\tWorkst ation Name:\t\n";
TimeGenerated = "20040603191448 .000000+060"; Type
= "audit success"; User
= "CMLOURES\\brun o_mendonca"; }; };
The last 2 are identical!

If you wish to see them all look at this 14kb .txt file:
http://www.geocities.com/bmmpt/events.txt

If you look carefully at the last two, you'll see that they have different
logon ids.
--
John Saunders
johnwsaundersii i at hotmail

>If you look carefully at the last two, you'll see that
they have different

logon ids.
--
John Saunders
johnwsaundersi ii at hotmail

That's true, but that's the only difference, even the time
is the exact same. I'm assuming they're related to the
same event. And in the list of 26 events I mentioned
before, there are more similar events to these two, where
only the id and possibly the time change. If I was to
consider them as logon events I'd be reporting say 6 or 7
logons (for a period of less that 10 seconds) where really
only one occurred.

Bruno.

<an*******@disc ussions.microso ft.com> wrote in message
news:18******** *************** ******@phx.gbl. ..

If you look carefully at the last two, you'll see that

they have different

logon ids.
--
John Saunders
johnwsaundersi ii at hotmail

That's true, but that's the only difference, even the time
is the exact same. I'm assuming they're related to the
same event. And in the list of 26 events I mentioned
before, there are more similar events to these two, where
only the id and possibly the time change. If I was to
consider them as logon events I'd be reporting say 6 or 7
logons (for a period of less that 10 seconds) where really
only one occurred.

If I were you, I'd try to find documentation on those events somewhere. I
wouldn't be so sure that two different login ids really mean only one login.
--
John Saunders
johnwsaundersii i at hotmail