Syslog Audit of Logon / Logoff - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » Syslog Audit of Logon / Logoff

Page 1 of 1

Topic Options

#181961 - 2007-10-25 11:43 PM

Syslog Audit of Logon / Logoff

Gargoyle Offline

MM club member

Registered: 2004-03-09
Posts: 1597
Loc: Valley of the Sun (Arizona, US...

I am attempting to create a script that will read our syslog files from the Domain Controllers that have a record of all Logon and Logoff transactions.. This includes every single time any network resource is accessed.

I am having a problem identifying what is the "Network Logon / Logoff" events (event ID's are not supplied.)

I have the raw log files at my disposal if needed but they are quite large, and I would have to "scrub" them first.

As an example piece from the log though.... (This is just one line that I broke up for readibility)

Code:

2007-10-24 08:04:06	Daemon.Notice	DC-SERVER	Security: DOMAIN\username: Object Open: Object Server: 
Security Account Manager Object Type: SAM_SERVER Object Name: CN=Server,CN=System,DC=DOMAIN,DC=STATE,DC=AZ,DC=US 
Handle ID: 226087280 Operation ID: {0,639024591} Process ID: 380 Process Name: C:\WINDOWS\system32\lsass.exe 
Primary User Name: DC-SERVER$ Primary Domain: DOMAIN Primary Logon ID: (0x0,0x3E7) Client User Name: username 
Client Domain: DOMAIN Client Logon ID: (0x0,0x2616A3CA) Accesses: (Error 1537) (Error 1538) (Error 1539) (Error 1540) 
(Error 5376) (Error 5377) (Error 5378) (Error 5379) A network adapter malfunction has occurred.<013><010>
The network control block (NCB) request was refused.  The NCB is the data.<013><010> 
The network control block (NCB) command is still pending.<013><010>The NCB is the data.<013><010> (Error 5382) 
(Error 5383) (Error 5384) Privileges: - Properties: --- %{bf967aad-0de6-11d0-a285-00aa003049e2} Access Mask: 0

_________________________
Today is the tomorrow you worried about yesterday.

Top

#181963 - 2007-10-26 02:01 AM

Re: Syslog Audit of Logon / Logoff [Re: Gargoyle]

It_took_my_meds Offline

Hey THIS is FUN

Registered: 2003-05-07
Posts: 273
Loc: Sydney, Australia

Hi Gargoyle,

I stripped this code out of my inventory collection script. It gets the data using LogParser and may help you as a starting point.

Code:

Break On 

;region Log Parser
If @INWIN = 1 And Not InStr(@PRODUCTTYPE," NT")
	Dim $oLogQuery
	$oLogQuery = CreateObject("MSUtil.LogQuery")
	If VarType($oLogQuery) = 9
		;User logons
		Dim $Data,$What,$Where,$Order
		$Order = "To_String(TimeGenerated, 'yyyy-MM-ddThh:mm:ss')"
		If InStr(@PRODUCTTYPE," 2000") Or InStr(@PRODUCTTYPE," XP") Or InStr(@PRODUCTTYPE," 2003")
			$What = "Case EventID When 528 Then 'Logon' When 551 Then 'Logoff' END, To_String(TimeGenerated, 'yyyy-MM-ddThh:mm:ss')"
			$What = $What+", RESOLVE_SID(SID), SID"
			$Where = "EventID = 551 Or EventID = 528 AND (EXTRACT_TOKEN(Strings,3,'|')='2' Or EXTRACT_TOKEN(Strings,3,'|')='10') And EXTRACT_TOKEN(Strings,4,'|') like 'User32%'"
		Else
			$What = "Case EventID When 4624 Then 'Logon' When 4647 Then 'Logoff' END, To_String(TimeGenerated, 'yyyy-MM-ddThh:mm:ss')"
			$What = $What+", Case EventID When 4624 Then RESOLVE_SID(EXTRACT_TOKEN(Strings,4,'|'))"
			$What = $What+" When 4647 Then RESOLVE_SID(EXTRACT_TOKEN(Strings,0,'|')) END"
			$What = $What+", Case EventID When 4624 Then EXTRACT_TOKEN(Strings,4,'|') When 4647 Then EXTRACT_TOKEN(Strings,0,'|') END"
			$Where = "EventID = 4647 Or (EventID = 4624 AND (EXTRACT_TOKEN(Strings,8,'|')='2' Or EXTRACT_TOKEN(Strings,8,'|')='11')"
			$Where = $Where+" And EXTRACT_TOKEN(Strings,9,'|') like 'User32%'"
			$Where = $Where+" And EXTRACT_TOKEN(Strings,12,'|')='{00000000-0000-0000-0000-000000000000}')"
		EndIf
		$Data = LogToDataTable($oLogQuery,"Security","UserLogs",$What,$Where,$Order)
	EndIf
EndIf

Function LogToDataTable($oLogQuery, $Source, $Checkpoint, $sFields, Optional $Criteria, $Order)
		
	Dim $oEventLog, $oRecordSet,$Query
	$oEventLog = CreateObject("MSUtil.LogQuery.EventLogInputFormat")
	$oEventLog.iCheckPoint = %windir% + "\system32\logs\" + $Checkpoint + ".lpc"
	If Not Exist(%windir%+"\system32\logs\")
		MD %windir%+"\system32\logs\"
	EndIf
	$Query = "Select Distinct "+$sFields+" from "+$Source+IIf($Criteria," where "+$Criteria,"")+IIf($Order," order by "+$Order,"")
	$oRecordSet = $oLogQuery.Execute($Query, $oEventLog)
	While Not $oRecordSet.atEnd
		$LogToDataTable = Push($LogToDataTable, Split($oRecordSet.getRecord.toNativeString(Chr(1)), Chr(1)))
		$oRecordSet.moveNext
	Loop
		
EndFunction
;endregion

Function Push($a,$s)
	
	Dim $i
	$i = UBound($a)+1
	ReDim Preserve $a[$i]
	$a[$i] = $s
	$Push = $a
	
EndFunction

Cheers,

Richard

Edited by It_took_my_meds (2007-11-14 04:42 AM)

Top

#181966 - 2007-10-26 04:54 AM Re: Syslog Audit of Logon / Logoff [Re: It_took_my_meds]
Gargoyle Gargoyle MM club member Registered: 2004-03-09 Posts: 1597 Loc: Valley of the Sun (Arizona, US...	Here you are looking at the event logs. Where there are event ID's. I do not have the luxury of Event ID's. All I have is the syslog messages as shown above. _________________________ Today is the tomorrow you worried about yesterday.
Top

#181967 - 2007-10-26 05:53 AM Re: Syslog Audit of Logon / Logoff [Re: Gargoyle]
It_took_my_meds It_took_my_meds Hey THIS is FUN Registered: 2003-05-07 Posts: 273 Loc: Sydney, Australia	In the code it shows that the interactive logon event ID's are: Case EventID When 528 Then 'Logon' When 551 Then 'Logoff' END when: EventID = 551 Or EventID = 528 AND EXTRACT_TOKEN(Strings,3,'\|')='2' And EXTRACT_TOKEN(Strings,4,'\|') like 'User32%' Why don't you just run my code (using a Group Policy statup script or system scheduled task set up by Group Policy) on each machine and dump it into a DB?
Top

#181968 - 2007-10-26 07:31 AM Re: Syslog Audit of Logon / Logoff [Re: It_took_my_meds]
Gargoyle Gargoyle MM club member Registered: 2004-03-09 Posts: 1597 Loc: Valley of the Sun (Arizona, US...	Because I have to search syslog logs from more than 1 year ago. That is why I am unable to use the event logs. _________________________ Today is the tomorrow you worried about yesterday.
Top

#181969 - 2007-10-26 07:40 AM Re: Syslog Audit of Logon / Logoff [Re: Gargoyle]
It_took_my_meds It_took_my_meds Hey THIS is FUN Registered: 2003-05-07 Posts: 273 Loc: Sydney, Australia	Hmmm, sorry but I don't have any experience parsing syslogs. Best of luck...
Top

#181975 - 2007-10-26 09:20 AM Re: Syslog Audit of Logon / Logoff [Re: It_took_my_meds]
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Can someone rip out or break the loooooooooong lines? Almost impossible to read like this. _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#181978 - 2007-10-26 10:20 AM Re: Syslog Audit of Logon / Logoff [Re: Mart]
Jochen Jochen KiX Supporter Registered: 2000-03-17 Posts: 6380 Loc: Stuttgart, Germany	Caution, wide load thread $\:o$ _________________________
Top

#182003 - 2007-10-26 07:40 PM Re: Syslog Audit of Logon / Logoff [Re: Jochen]
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11628 Loc: CA	It's actually an Internet Explorer issue. Viewed with FireFox it looks correct. No promise but there is maybe some hope that UBBT 7.3 will correct this (I'm not holding my breath for it though)
Top

#182012 - 2007-10-27 12:10 AM Re: Syslog Audit of Logon / Logoff [Re: It_took_my_meds]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Originally Posted By: It_took_my_meds Sorry for the long lines.. Don't apologize, just fix it. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

Page 1 of 1

Previous Topic View All Topics

Index Next Topic

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org