pratikp Absent Member.
Absent Member.
739 views

Not receiving interactive logon events in ArcSight

Dear All,

We have integrated active directory audit logs in arcsight using Windows Server Unified Smartconnector.

I am observing lot of logon events and after investigation, I found that all events are with logon type:3 which is network login. It has been observed that I am not receiving any interactive login which has logon type as 2.

Can anyone help me in this so that I can get interactive logons in arcsight  ?

Regards,

Pratik

Labels (2)
0 Likes
8 Replies
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Not receiving interactive logon events in ArcSight

Hi Pratik,

If all the audit configurations are set and logging in event viewer. You would be able to get it in ArcSight(Message : Interactive: A user logged on to this computer at the console.)

Please cross verify for interactive logon events in Windows event viewer 1st.

0 Likes
Highlighted
pratikp Absent Member.
Absent Member.

Re: Not receiving interactive logon events in ArcSight

Dear Bala,

Hope you are doping well

Do you have configuration which needs to be done to enable interactive logon ? If Yes, please share it with me.

Thanks ,

Pratik

0 Likes
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Not receiving interactive logon events in ArcSight

Dude.. I don't dope these days.. Keep it a secret. lol

Well. Can you check the events in event viewer 1st. usually if you enabled the log authentication events in policy editor. you would be able to see it.

I think the below is the one. But plz do crosscheck Bro

Enable Audit account logon events (Successful and failed)

Enable Audit logon events (Successful and failed)

0 Likes
madhyasta Absent Member.
Absent Member.

Re: Not receiving interactive logon events in ArcSight

Hi Pratik,

I guess you already have logon events set else you wouldn't have got the login type 3 events. How are you testing interactive logins?

0 Likes
pratikp Absent Member.
Absent Member.

Re: Not receiving interactive logon events in ArcSight

Hi Bala & Prashant,

If I am trying to login to desktop machine which is in domain using domain credentials, we should get that logon type as interactive or network ?

It is treating that as Network and not interactive. 

I was getting interactive logins if some access domain controller locally and not through desktop as mentioned above. Does anyone configurations on domain controller which gives interactive logins in scenario where  User is trying to login to desktop machine which is in domain using domain credentials.

Regards,

Pratik

0 Likes
ramjayam03
Visitor.

Re: Not receiving interactive logon events in ArcSight

Hi Pratikp,

Even i was also facing the same issue. we have done manual testing by logging into domain cotroller and see the events in the event viewer. We identified that Domain controller recording client machine login activity  as network login event since client has logged on to the DC from the network. Since we are pulling DC logs to Arcsight, we cannot get Type 2 event. we will get type2 event when we try to do interactive login directly to the DCs. 

0 Likes
sreekanthk881 Absent Member.
Absent Member.

Re: Not receiving interactive logon events in ArcSight

Hi Pratik,

Did you resolved this issue? Even I have similar cases

Regards,
Sreekanth Nair

0 Likes
Honored Contributor.. simon.simcic@sr Honored Contributor..
Honored Contributor..

Re: Not receiving interactive logon events in ArcSight

Hi,

The event will be Logon type 3 when collected from a domain controller and Interactive or Remote interactive when collected from the Machine or server.

The logic here being, you remote login or interactively login to some machine, which in turn verifies the credentials on a domain controller. 

BR S 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.