[Chicago-talk] Windows event Logs

Eric Ellington e.ellington at gmail.com
Fri Feb 8 14:38:01 PST 2008

On Feb 8, 2008 3:41 PM, Young, Darren <Darren.Young at chicagogsb.edu> wrote:
> > Using ActiveState I have used Win32::EventLog. It works. It will
> > gather info from local and remote machines.
> Have you ever tried to parse the "Strings" part of the messages? I'm
> noticing there's not a whole lot of consistency between different event
> id's. Even in the 540 the number of "columns" in the actual even message
> isn't consistent.

Yup, it sucks. It is sort of filled in with data from the event, and
sort of not.

This is the description from an entry in the event log:

The audit log was cleared
 	Primary User Name:	SYSTEM
 	Primary Domain:	NT AUTHORITY
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	SYSTEM
 	Client Domain:	NT AUTHORITY
 	Client Logon ID:	(0x0,0x3E7)

For more information, see Help and Support Center at

Strings gives you null spaced crap (I think):

SYSTEM \0 NT AUTHORITY \0 (0x0,0x3E7) \0 SYSTEM \0 NT AUTHORITY \0 (0x0,0x3E7)

I added the \0s

So you can use tr/\0/\n/ or something similar.

I am not sure what \0 really means I have never found it in any
official docs, I found it on the web a while back. It will replace the
nulls in the string however.

> > Also, 540 can look like a weird event. A 540 is generated when a user
> > logs on a machine, but also when a user access anything over the
> > network. So if the user views a network drive you will get a new 540.
> > Also if the user starts editing files in the network directory you
> > will get a ton of 540 events. So every time word auto saves to a
> > network drive you can expect a new 540.
> Yea, I noticed that and I don't see any way to break the logon type down
> much more granular than type 3.
> What I have to do here...
> The University has decided to forward on DMCA complaints to network
> users. I'm in a "business unit" (graduate school) where we run our own
> DHCP and authentication (LDAP and AD). Our central NETSEC group receives
> a DMCA complaint because they're listed against the 128.135.x.x block,
> however if the IP in question is on one of ours they forward the request
> to me to determine who the user actually was during the date/time in
> question. I get the date/time, IP address and MAC address of the
> "offender" in question from the NETSEC group.
> So, my first step was to log all DHCP events to a database table and
> keep 3 months of those. With that I can then prove in fact we gave that
> IP to that MAC during that time period (they can get the MAC wrong).
> What I have to do now is map that IP back to an authentication request
> to AD to obtain the Windows username which can then be tracked to a
> person. The only event I can find that fits is the 540 logon type 3,
> even though there are a ton of them. That event contains the source IP
> address of the request that hit AD as well as the Windows username that
> was authenticated.
> Perhaps there's some way I can filter them down even further (remove
> network drive access, etc) before inserting them into a database table.
> _______________________________________________
> Chicago-talk mailing list
> Chicago-talk at pm.org
> http://mail.pm.org/mailman/listinfo/chicago-talk

Eric Ellington
e.ellington at gmail.com

More information about the Chicago-talk mailing list