|
Posted by Roger Abell on June 22, 2005, 12:32 am
Please log in for more thread options Lee,
I guess it resolves down to just what you consider "real" interactive
logins as compared to your already narrowed to "EventCategory = 2"
I am assuming you want to rule out such as website authoring that does
a type 2 login, etc..
Can you either 1) characterize a string-form for the workstations where
the login happens that are considered "real" interactive, or 2) characterize
machines where type 2 that are not "real" per your criteria are being seen?
I mean, the problem is that type 2 login is type 2 login, so you will need
to leverage some other determining factor.
--
Roger Abell
Microsoft MVP (Windows Security)
> On Sun, 19 Jun 2005 01:48:13 -0700, Roger Abell wrote:
>
> > Installing syslog does not redirect the Windows event messages
> > into it. Go to microsoft.com/downloads and get LogParser.
> > Enable both logon categories in a the Audit policies section of
> > a GPO that is linked to the domain or domain controllors OU.
> > Then, figure up a scheduled task that kicks off to grep out a
> > report of the first login per domain user seen since midnight or
> > some suitable time threshold. You might also want to visit
> > http://www.logparser.com/
>
> Thanks for the tip. I've got it installed and have been working with it,
> but can't seem to form a query to explicitly isolate real interactive
> logins. I've gotten quite close, but was wondering if anyone else with
> LogParser experience could help me narrow this down a bit.
>
>
> LogParser "SELECT DISTINCT TimeGenerated AS LogonDate, RESOLVE_SID(sid)
> AS Account, Message INTO Report.html FROM Security WHERE EventID NOT IN
> (541;542;543) AND EventType = 8 AND EventCategory = 2 AND TimeWritten >=
> SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('4', 'h') ) AND
> EXTRACT_TOKEN(Strings, 0, '|') NOT LIKE '%%$' AND RESOLVE_SID(SID) NOT
> LIKE '%%ANON%%'" -i:EVT -o:TPL -tpl:MyTemplate.txt
>
> Any Takers?
| 
XML Sitemap