[Chicago-talk] Windows event Logs

Young, Darren Darren.Young at ChicagoGSB.edu
Fri Feb 8 13:41:13 PST 2008

> Using ActiveState I have used Win32::EventLog. It works. It will
> gather info from local and remote machines.

Have you ever tried to parse the "Strings" part of the messages? I'm
noticing there's not a whole lot of consistency between different event
id's. Even in the 540 the number of "columns" in the actual even message
isn't consistent.
> Also, 540 can look like a weird event. A 540 is generated when a user
> logs on a machine, but also when a user access anything over the
> network. So if the user views a network drive you will get a new 540.
> Also if the user starts editing files in the network directory you
> will get a ton of 540 events. So every time word auto saves to a
> network drive you can expect a new 540.

Yea, I noticed that and I don't see any way to break the logon type down
much more granular than type 3.

What I have to do here...

The University has decided to forward on DMCA complaints to network
users. I'm in a "business unit" (graduate school) where we run our own
DHCP and authentication (LDAP and AD). Our central NETSEC group receives
a DMCA complaint because they're listed against the 128.135.x.x block,
however if the IP in question is on one of ours they forward the request
to me to determine who the user actually was during the date/time in
question. I get the date/time, IP address and MAC address of the
"offender" in question from the NETSEC group.

So, my first step was to log all DHCP events to a database table and
keep 3 months of those. With that I can then prove in fact we gave that
IP to that MAC during that time period (they can get the MAC wrong).
What I have to do now is map that IP back to an authentication request
to AD to obtain the Windows username which can then be tracked to a
person. The only event I can find that fits is the 540 logon type 3,
even though there are a ton of them. That event contains the source IP
address of the request that hit AD as well as the Windows username that
was authenticated.

Perhaps there's some way I can filter them down even further (remove
network drive access, etc) before inserting them into a database table.

More information about the Chicago-talk mailing list