My boss asked me to build a program to create a report
with logon/logoff events for all users within our windows
domain. I'm using .Net to do so and decided to have a
program running on the Domain Controler to listen to all
new events and send them to a database. This last part I
haven't worked on yet, cause I can't tell which events are
relevant to write to the db and which are not.
I have managed to listen to all the security log events on
the DC with the following code:
ManagementEvent Watcher1.Query = New
System.Manageme nt.EventQuery(" SELECT * FROM
__InstanceCreat ionEvent WITHIN 60 WHERE TargetInstance
ISA ""Win32_N" & _
"TLogEvent" " and TargetInstance. Logfile
= ""Security" "")
ManagementEvent Watcher1.Scope = New
System.Manageme nt.ManagementSc ope("\\sededc01 \root\CIMV2")
Dim handler As New MyHandler
AddHandler ManagementEvent Watcher1.EventA rrived,
AddressOf handler.Arrived
' Start watching for events
ManagementEvent Watcher1.Start( )
This next Sub send the information of each event to the
output window of vb.Net:
Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e
As EventArrivedEve ntArgs)
Dim mbo As ManagementBaseO bject
If Not IsDBNull(e.NewE vent.Properties
("TargetInstanc e")) Then
mbo = CType(e.NewEven t.Properties
("TargetInstanc e").Value, ManagementBaseO bject)
If Not IsDBNull(mbo.Pr operties
("Message").Val ue) Then
Console.WriteLi ne(mbo.Properti es
("Message").Val ue)
Console.WriteLi ne(mbo.Properti es
("ComputerName" ).Value)
Console.WriteLi ne(mbo.Properti es
("Category").Va lue)
Console.WriteLi ne(mbo.Properti es
("EventCode").V alue)
Console.WriteLi ne(mbo.Properti es
("User").Val ue)
End If
End If
End Sub
End Class
My problem is how to interpret the events. There's new
events every second, tons of them. And I'm sure we don't
have people login on or off every second. Even if I limit
my query to TargetInstance. EventCode = "538", I still get
lots of events being generated, with very similar messages.
Here are some output examples:
Message: Successful Network Logon:
User Name: CML2817$
Domain: CMLOURES
Logon ID: (0x0,0xED81BD)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Computer: SEDEDC02
Category: 2
EventCode: 540
User: CMLOURES\CML281 7$
CML2817$ is not a user, it's a computer of the domain. If
this was a logon, who is the user?
Message: User Logoff:
User Name: CML298$
Domain: CMLOURES
Logon ID: (0x0,0xED81D4)
Logon Type: 3
Computer: SEDEDC02
Category: 2
EventCode: 538
User: CMLOURES\CML298 $
If this was a logoff, who is the user?
Is there any way to be sure that one specific event really
is a logon (or logoff) to a computer, to what computer and
what user did it?
Bruno