Highlighted
Absent Member.
Absent Member.
170 views

Windows DC event logging - See WHERE a user is logging into.

Hi ArcSight fans,

I am looking into an issue with Windows DC logs. I'm pulling security logs from a few DC's and wanted to know if there is any way for me to capture WHERE a user is logging into.

I get an awful lot of information about each user login and session, but I want to see which device they are connecting to.

Any ideas? is it an event ID that I can switch on?

Thanks

Labels (1)
Tags (2)
0 Likes
Reply
3 Replies
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Re: Windows DC event logging - See WHERE a user is logging into.

Hey,

If you are pulling the security logs you should be looking for a 528 (Server 03) or a 4624 (Server 08-up).

The actual machine being logged into will show up as the "Source Host Name" or "Attacker Host Name".

The actual user will show up as "Target/Destination User Name"or "Target/Destination User ID"

Andrew

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Windows DC event logging - See WHERE a user is logging into.

Hi Andrew,

Thanks for your reply.

I have taken a look at the ID's and fields you suggested. Unfortunately the Source Host Name and Attacker Host Name are showing as the DC itself. I'm guessing this is either a log issue on the DC or a config issue on the connector. Your input would be appreciated!

Thanks

0 Likes
Reply
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Re: Windows DC event logging - See WHERE a user is logging into.


You have a copy of a raw event I could check out? Or a screenshot of the event details? Might be easier than trying to guess.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.