[Chicago-talk] Windows event Logs
e.ellington at gmail.com
Fri Feb 8 14:38:01 PST 2008
On Feb 8, 2008 3:41 PM, Young, Darren <Darren.Young at chicagogsb.edu> wrote:
> > Using ActiveState I have used Win32::EventLog. It works. It will
> > gather info from local and remote machines.
> Have you ever tried to parse the "Strings" part of the messages? I'm
> noticing there's not a whole lot of consistency between different event
> id's. Even in the 540 the number of "columns" in the actual even message
> isn't consistent.
Yup, it sucks. It is sort of filled in with data from the event, and
sort of not.
This is the description from an entry in the event log:
The audit log was cleared
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Client User Name: SYSTEM
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x3E7)
For more information, see Help and Support Center at
Strings gives you null spaced crap (I think):
SYSTEM \0 NT AUTHORITY \0 (0x0,0x3E7) \0 SYSTEM \0 NT AUTHORITY \0 (0x0,0x3E7)
I added the \0s
So you can use tr/\0/\n/ or something similar.
I am not sure what \0 really means I have never found it in any
official docs, I found it on the web a while back. It will replace the
nulls in the string however.
> > Also, 540 can look like a weird event. A 540 is generated when a user
> > logs on a machine, but also when a user access anything over the
> > network. So if the user views a network drive you will get a new 540.
> > Also if the user starts editing files in the network directory you
> > will get a ton of 540 events. So every time word auto saves to a
> > network drive you can expect a new 540.
> Yea, I noticed that and I don't see any way to break the logon type down
> much more granular than type 3.
> What I have to do here...
> The University has decided to forward on DMCA complaints to network
> users. I'm in a "business unit" (graduate school) where we run our own
> DHCP and authentication (LDAP and AD). Our central NETSEC group receives
> a DMCA complaint because they're listed against the 128.135.x.x block,
> however if the IP in question is on one of ours they forward the request
> to me to determine who the user actually was during the date/time in
> question. I get the date/time, IP address and MAC address of the
> "offender" in question from the NETSEC group.
> So, my first step was to log all DHCP events to a database table and
> keep 3 months of those. With that I can then prove in fact we gave that
> IP to that MAC during that time period (they can get the MAC wrong).
> What I have to do now is map that IP back to an authentication request
> to AD to obtain the Windows username which can then be tracked to a
> person. The only event I can find that fits is the 540 logon type 3,
> even though there are a ton of them. That event contains the source IP
> address of the request that hit AD as well as the Windows username that
> was authenticated.
> Perhaps there's some way I can filter them down even further (remove
> network drive access, etc) before inserting them into a database table.
> Chicago-talk mailing list
> Chicago-talk at pm.org
e.ellington at gmail.com
More information about the Chicago-talk