[prev in list] [next in list] [prev in thread] [next in thread]
List: prelude-devel
Subject: [prelude-devel] EVT Windows
From: "Andrea Modesto Rossi" <amrossi () linux ! it>
Date: 2009-03-11 14:37:59
Message-ID: 32987.82.105.99.92.1236782279.squirrel () picard ! linux ! it
[Download RAW message or body]
Hi All,
with Fedora 10 i'm able to run prelude server, prelude-lml, prewikka and
others.
I've got two Windows XP SP3 client running in my network and i would like
to monitor and controlling their log (also called EVT). In order to do it
i have installed SNARE plugins on each windows client and i now can
convert EVT to syslog and sanding that to a syslog server ( that one where
running prelude).
Up to now i woul like monitoring only these events:
1. LogIn OK
2. LogIn Failed
3. LogON
1. LogIn OK
------------
Mar 11 12:27:30 subway MSWinEventLog#0111#011Security#01164#011Wed Mar 11
12:27:26 2009#011680#011Security#011SYSTEM#011User#011Success
Audit#011SUBWAY#011Account Logon #011#011Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: pippo Source
Workstation: SUBWAY Error Code: 0x0 #01150
Mar 11 12:27:30 subway MSWinEventLog#0111#011Security#01165#011Wed Mar 11
12:27:26 2009#011528#011Security#011amrossi#011User#011Success
Audit#011SUBWAY#011Logon/Logoff #011#011Successful Logon: User Name:
pippo Domain: SUBWAY Logon ID: (0x0,0xDC9A6) Logon Type: 2
Logon Process: User32 Authentication Package: Negotiate
Workstation Name: SUBWAY Logon GUID: - #01151
2. LogIn Failed
---------------
Mar 11 12:27:30 subway MSWinEventLog#0111#011Security#01163#011Wed Mar 11
12:27:26 2009#011529#011Security#011SYSTEM#011User#011Failure
Audit#011SUBWAY#011Logon/Logoff #011#011Logon Failure: Reason:
Unknown user name or bad password User Name: Pippo Domain: SUBWAY
Logon Type: 2 Logon Process: Advapi Authentication Package:
Negotiate Workstation Name: SUBWAY #01149
3. LogON
--------
Mar 11 12:27:59 subway MSWinEventLog#0111#011Security#01170#011Wed Mar 11
12:27:55 2009#011528#011Security#011NETWORK SERVICE#011Well Known
Group#011Success Audit#011SUBWAY#011Logon/Logoff #011#011Successful
Logon: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon
ID: (0x0,0x3E4) Logon Type: 5 Logon Process: Advapi
Authentication Package: Negotiate Workstation Name: Logon GUID: -
#01153
Mar 11 12:29:39 subway MSWinEventLog#0111#011Security#01171#011Wed Mar 11
12:29:36 2009#011538#011Security#011amrossi#011User#011Success
Audit#011SUBWAY#011Logon/Logoff #011#011User Logoff: User Name: pippo
Domain: SUBWAY Logon ID: (0x0,0xDC9A6) Logon Type: 2 #01154
Thank you very much
Have a nice day.
--
Andrea Modesto Rossi
Fedora Ambassador
+---------------------------------------------------------------------+
| Bello. Che gli diciamo? Che sono tutti stronzi monopolisti di merda,|
| con i loro protocolli brevettati e i loro driver finestrosi? |
| Ci sono! |
| Alessandro Rubini |
+---------------------------------------------------------------------+
_______________________________________________
Prelude-devel site list
Prelude-devel@prelude-ids.org
http://lists.prelude-ids.org/mailman/listinfo/prelude-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic