By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,086 Members | 1,875 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,086 IT Pros & Developers. It's quick & easy.

Track Domain User Logons and Logoffs

P: n/a
My boss asked me to build a program to create a report
with logon/logoff events for all users within our windows
domain. I'm using .Net to do so and decided to have a
program running on the Domain Controler to listen to all
new events and send them to a database. This last part I
haven't worked on yet, cause I can't tell which events are
relevant to write to the db and which are not.

I have managed to listen to all the security log events on
the DC with the following code:

ManagementEventWatcher1.Query = New
System.Management.EventQuery("SELECT * FROM
__InstanceCreationEvent WITHIN 60 WHERE TargetInstance
ISA ""Win32_N" & _
"TLogEvent"" and TargetInstance.Logfile
= ""Security""")
ManagementEventWatcher1.Scope = New
System.Management.ManagementScope("\\sededc01\root \CIMV2")

Dim handler As New MyHandler

AddHandler ManagementEventWatcher1.EventArrived,
AddressOf handler.Arrived

' Start watching for events
ManagementEventWatcher1.Start()
This next Sub send the information of each event to the
output window of vb.Net:

Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e
As EventArrivedEventArgs)
Dim mbo As ManagementBaseObject

If Not IsDBNull(e.NewEvent.Properties
("TargetInstance")) Then
mbo = CType(e.NewEvent.Properties
("TargetInstance").Value, ManagementBaseObject)

If Not IsDBNull(mbo.Properties
("Message").Value) Then
Console.WriteLine(mbo.Properties
("Message").Value)
Console.WriteLine(mbo.Properties
("ComputerName").Value)
Console.WriteLine(mbo.Properties
("Category").Value)
Console.WriteLine(mbo.Properties
("EventCode").Value)
Console.WriteLine(mbo.Properties
("User").Value)
End If
End If
End Sub
End Class

My problem is how to interpret the events. There's new
events every second, tons of them. And I'm sure we don't
have people login on or off every second. Even if I limit
my query to TargetInstance.EventCode = "538", I still get
lots of events being generated, with very similar messages.

Here are some output examples:

Message: Successful Network Logon:
User Name: CML2817$
Domain: CMLOURES
Logon ID: (0x0,0xED81BD)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Computer: SEDEDC02
Category: 2
EventCode: 540
User: CMLOURES\CML2817$

CML2817$ is not a user, it's a computer of the domain. If
this was a logon, who is the user?

Message: User Logoff:
User Name: CML298$
Domain: CMLOURES
Logon ID: (0x0,0xED81D4)
Logon Type: 3
Computer: SEDEDC02
Category: 2
EventCode: 538
User: CMLOURES\CML298$

If this was a logoff, who is the user?

Is there any way to be sure that one specific event really
is a logon (or logoff) to a computer, to what computer and
what user did it?

Bruno
Nov 18 '05 #1
Share this Question
Share on Google+
5 Replies


P: n/a
"Bruno Mendonça" <an*******@discussions.microsoft.com> wrote in message
news:17*****************************@phx.gbl...
My boss asked me to build a program to create a report
with logon/logoff events for all users within our windows
domain. I'm using .Net to do so and decided to have a
program running on the Domain Controler to listen to all
new events and send them to a database. This last part I
haven't worked on yet, cause I can't tell which events are
relevant to write to the db and which are not.

I have managed to listen to all the security log events on
the DC with the following code:

ManagementEventWatcher1.Query = New
System.Management.EventQuery("SELECT * FROM
__InstanceCreationEvent WITHIN 60 WHERE TargetInstance
ISA ""Win32_N" & _
"TLogEvent"" and TargetInstance.Logfile
= ""Security""")
ManagementEventWatcher1.Scope = New
System.Management.ManagementScope("\\sededc01\root \CIMV2")

Dim handler As New MyHandler

AddHandler ManagementEventWatcher1.EventArrived,
AddressOf handler.Arrived

' Start watching for events
ManagementEventWatcher1.Start()
This next Sub send the information of each event to the
output window of vb.Net:

Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e
As EventArrivedEventArgs)
Dim mbo As ManagementBaseObject

If Not IsDBNull(e.NewEvent.Properties
("TargetInstance")) Then
mbo = CType(e.NewEvent.Properties
("TargetInstance").Value, ManagementBaseObject)

If Not IsDBNull(mbo.Properties
("Message").Value) Then
Console.WriteLine(mbo.Properties
("Message").Value)
Console.WriteLine(mbo.Properties
("ComputerName").Value)
Console.WriteLine(mbo.Properties
("Category").Value)
Console.WriteLine(mbo.Properties
("EventCode").Value)
Console.WriteLine(mbo.Properties
("User").Value)
End If
End If
End Sub
End Class

My problem is how to interpret the events. There's new
events every second, tons of them. And I'm sure we don't
have people login on or off every second. Even if I limit
my query to TargetInstance.EventCode = "538", I still get
lots of events being generated, with very similar messages.

Here are some output examples:

Message: Successful Network Logon:
User Name: CML2817$
Domain: CMLOURES
Logon ID: (0x0,0xED81BD)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Computer: SEDEDC02
Category: 2
EventCode: 540
User: CMLOURES\CML2817$

CML2817$ is not a user, it's a computer of the domain. If
this was a logon, who is the user?

Message: User Logoff:
User Name: CML298$
Domain: CMLOURES
Logon ID: (0x0,0xED81D4)
Logon Type: 3
Computer: SEDEDC02
Category: 2
EventCode: 538
User: CMLOURES\CML298$

If this was a logoff, who is the user?

Is there any way to be sure that one specific event really
is a logon (or logoff) to a computer, to what computer and
what user did it?


In Kerberos, computers are actually logging in and out, as though they were
users. That's what those "$" logins are. Kerberos provides two-way
authentication, where the server can be sure who the client is, and the
client can be sure who the server is.

I believe the event log entry would more accurately say "Principal name"
instead of "user name", as there can be other types of principal logging in.
--
John Saunders
johnwsaundersiii at hotmail
Nov 18 '05 #2

P: n/a
>In Kerberos, computers are actually logging in and out,
as though they were
users. That's what those "$" logins are. Kerberos provides two-wayauthentication, where the server can be sure who the client is, and theclient can be sure who the server is.

I believe the event log entry would more accurately say "Principal name"instead of "user name", as there can be other types of principal logging in.--
John Saunders
johnwsaundersiii at hotmail


This are the properties I can access to:

TargetInstance.Category
TargetInstance.EventCode
TargetInstance.EventIdentifier
TargetInstance.EventType
TargetInstance.RecordNumber
TargetInstance.CategoryString
TargetInstance.ComputerName
TargetInstance.Logfile
TargetInstance.Message
TargetInstance.SourceName
TargetInstance.Type
TargetInstance.TimeGenerated
TargetInstance.TimeWritten
TargetInstance.User

None of them has any additional information about the
user, except for the ones I'm already outputing (Message
and User)

There is also the chance of creating a Management Event on
the Server Explorer of vb.Net and have it listen to log
events. Once you create a NT Event Log Query and start it,
it automatically writes the events to the Output window
and it display additional information. So I created one
and started it. Very quickly I logged to Computer
Dosinsads3 under bruno_mendonca, logged of and stoped the
event query. Maybe 20 seconds went by and from the output
genetrated I retrieved the events refering to either
bruno_mendonca or Dosinsads3. There where 26! For a simple
logon and logoff. I can't tell which one refers to the
logon and which to the logoff...

Here are 3 examples:

1 -

Category = 9; CategoryString = "Account Logon\n";
ComputerName = "SEDEDC02"; EventCode = 673;
InsertionStrings =
{"bruno_mendonca", "CMLOURES.PT", "DOSINSADS3$", "%{S-1-5-
21-195237392-612787311-312552118-
5296}", "0x40810010", "0x17", "10.11.1.36"};
Message = "Service Ticket Granted:\n\n\tUser
Name:\t\tbruno_mendonca\n\n\tUser
Domain:\t\tCMLOURES.PT\n\n\tService Name:\t\tDOSINSADS3
$\n\n\tService ID:\t\t%{S-1-5-21-195237392-612787311-
312552118-5296}\n\n\tTicket Options:\t\t0x40810010
\n\n\tTicket Encryption Type:\t0x17\n\n\tClient
Address:\t\t10.11.1.36\n\n";
TimeGenerated = "20040603191448.000000+060"; Type
= "audit success"; User = "NT
AUTHORITY\\SYSTEM"; }; };
2 -

Category = 2; CategoryString = "Logon/Logoff\n";
ComputerName = "SEDEDC02"; EventCode = 540;
InsertionStrings =
{"bruno_mendonca", "CMLOURES", "(0x0,0xEEDE5F)", "3", "Kerb
eros", "Kerberos", ""};
Message = "Successful Network Logon:\n\n\tUser
Name:\tbruno_mendonca\n\n\tDomain:\t\tCMLOURES\n\n \tLogon
ID:\t\t(0x0,0xEEDE5F)\n\n\tLogon Type:\t3\n\n\tLogon
Process:\tKerberos\n\n\tAuthentication
Package:\tKerberos\n\n\tWorkstation Name:\t\n";
TimeGenerated = "20040603191448.000000+060"; Type
= "audit success"; User
= "CMLOURES\\bruno_mendonca"; }; };
3 -

Category = 2; CategoryString = "Logon/Logoff\n";
ComputerName = "SEDEDC02"; EventCode = 540;
InsertionStrings =
{"bruno_mendonca", "CMLOURES", "(0x0,0xEEDE8F)", "3", "Kerb
eros", "Kerberos", ""};
Message = "Successful Network Logon:\n\n\tUser
Name:\tbruno_mendonca\n\n\tDomain:\t\tCMLOURES\n\n \tLogon
ID:\t\t(0x0,0xEEDE8F)\n\n\tLogon Type:\t3\n\n\tLogon
Process:\tKerberos\n\n\tAuthentication
Package:\tKerberos\n\n\tWorkstation Name:\t\n";
TimeGenerated = "20040603191448.000000+060"; Type
= "audit success"; User
= "CMLOURES\\bruno_mendonca"; }; };
The last 2 are identical!

If you wish to see them all look at this 14kb .txt file:
http://www.geocities.com/bmmpt/events.txt

Thanks for the given help though.

Bruno
Nov 18 '05 #3

P: n/a
"Bruno Mendonça" <an*******@discussions.microsoft.com> wrote in message
news:17*****************************@phx.gbl...
In Kerberos, computers are actually logging in and out,

as though they were
users. That's what those "$" logins are. Kerberos

provides two-way
authentication, where the server can be sure who the

client is, and the
client can be sure who the server is.

I believe the event log entry would more accurately

say "Principal name"
instead of "user name", as there can be other types of

principal logging in.
--
John Saunders
johnwsaundersiii at hotmail


This are the properties I can access to:

TargetInstance.Category
TargetInstance.EventCode
TargetInstance.EventIdentifier
TargetInstance.EventType
TargetInstance.RecordNumber
TargetInstance.CategoryString
TargetInstance.ComputerName
TargetInstance.Logfile
TargetInstance.Message
TargetInstance.SourceName
TargetInstance.Type
TargetInstance.TimeGenerated
TargetInstance.TimeWritten
TargetInstance.User

None of them has any additional information about the
user, except for the ones I'm already outputing (Message
and User)

There is also the chance of creating a Management Event on
the Server Explorer of vb.Net and have it listen to log
events. Once you create a NT Event Log Query and start it,
it automatically writes the events to the Output window
and it display additional information. So I created one
and started it. Very quickly I logged to Computer
Dosinsads3 under bruno_mendonca, logged of and stoped the
event query. Maybe 20 seconds went by and from the output
genetrated I retrieved the events refering to either
bruno_mendonca or Dosinsads3. There where 26! For a simple
logon and logoff. I can't tell which one refers to the
logon and which to the logoff...

Here are 3 examples:

1 -

Category = 9; CategoryString = "Account Logon\n";
ComputerName = "SEDEDC02"; EventCode = 673;
InsertionStrings =
{"bruno_mendonca", "CMLOURES.PT", "DOSINSADS3$", "%{S-1-5-
21-195237392-612787311-312552118-
5296}", "0x40810010", "0x17", "10.11.1.36"};
Message = "Service Ticket Granted:\n\n\tUser
Name:\t\tbruno_mendonca\n\n\tUser
Domain:\t\tCMLOURES.PT\n\n\tService Name:\t\tDOSINSADS3
$\n\n\tService ID:\t\t%{S-1-5-21-195237392-612787311-
312552118-5296}\n\n\tTicket Options:\t\t0x40810010
\n\n\tTicket Encryption Type:\t0x17\n\n\tClient
Address:\t\t10.11.1.36\n\n";
TimeGenerated = "20040603191448.000000+060"; Type
= "audit success"; User = "NT
AUTHORITY\\SYSTEM"; }; };
2 -

Category = 2; CategoryString = "Logon/Logoff\n";
ComputerName = "SEDEDC02"; EventCode = 540;
InsertionStrings =
{"bruno_mendonca", "CMLOURES", "(0x0,0xEEDE5F)", "3", "Kerb
eros", "Kerberos", ""};
Message = "Successful Network Logon:\n\n\tUser
Name:\tbruno_mendonca\n\n\tDomain:\t\tCMLOURES\n\n \tLogon
ID:\t\t(0x0,0xEEDE5F)\n\n\tLogon Type:\t3\n\n\tLogon
Process:\tKerberos\n\n\tAuthentication
Package:\tKerberos\n\n\tWorkstation Name:\t\n";
TimeGenerated = "20040603191448.000000+060"; Type
= "audit success"; User
= "CMLOURES\\bruno_mendonca"; }; };
3 -

Category = 2; CategoryString = "Logon/Logoff\n";
ComputerName = "SEDEDC02"; EventCode = 540;
InsertionStrings =
{"bruno_mendonca", "CMLOURES", "(0x0,0xEEDE8F)", "3", "Kerb
eros", "Kerberos", ""};
Message = "Successful Network Logon:\n\n\tUser
Name:\tbruno_mendonca\n\n\tDomain:\t\tCMLOURES\n\n \tLogon
ID:\t\t(0x0,0xEEDE8F)\n\n\tLogon Type:\t3\n\n\tLogon
Process:\tKerberos\n\n\tAuthentication
Package:\tKerberos\n\n\tWorkstation Name:\t\n";
TimeGenerated = "20040603191448.000000+060"; Type
= "audit success"; User
= "CMLOURES\\bruno_mendonca"; }; };
The last 2 are identical!

If you wish to see them all look at this 14kb .txt file:
http://www.geocities.com/bmmpt/events.txt


If you look carefully at the last two, you'll see that they have different
logon ids.
--
John Saunders
johnwsaundersiii at hotmail
Nov 18 '05 #4

P: n/a
>If you look carefully at the last two, you'll see that
they have different
logon ids.
--
John Saunders
johnwsaundersiii at hotmail


That's true, but that's the only difference, even the time
is the exact same. I'm assuming they're related to the
same event. And in the list of 26 events I mentioned
before, there are more similar events to these two, where
only the id and possibly the time change. If I was to
consider them as logon events I'd be reporting say 6 or 7
logons (for a period of less that 10 seconds) where really
only one occurred.

Bruno.
Nov 18 '05 #5

P: n/a
<an*******@discussions.microsoft.com> wrote in message
news:18*****************************@phx.gbl...
If you look carefully at the last two, you'll see that

they have different
logon ids.
--
John Saunders
johnwsaundersiii at hotmail


That's true, but that's the only difference, even the time
is the exact same. I'm assuming they're related to the
same event. And in the list of 26 events I mentioned
before, there are more similar events to these two, where
only the id and possibly the time change. If I was to
consider them as logon events I'd be reporting say 6 or 7
logons (for a period of less that 10 seconds) where really
only one occurred.


If I were you, I'd try to find documentation on those events somewhere. I
wouldn't be so sure that two different login ids really mean only one login.
--
John Saunders
johnwsaundersiii at hotmail
Nov 18 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.