Anonymous_User Absent Member.
Absent Member.
246 views

Windows Log off Events


Hi Guys,

I have only just noticed that Logoff events from a windows source do not
include the IP or hostname of the server where they are executed. Most
other events do have this information from the same host, I had a look
at the collector and couldn't spot anything obvious. Anyway looking a
bit further into it, it appears that Windows itself (certainly the
windows 7 event source I am using) doesn't record the computer name or
ip in log off events but it does on say a login event. How strange?!

Ok so I guess there are some things I could do around looking to see
where the user had previously logged on etc. I am wondering what other
people have done with these events in the past? Is there something that
can be changed on the windows side to start recording source IP or
source computer name etc for these event types?

I was just looking about when I spotted this, but seems odd Microsoft
omit these details from the logoff event. There is a picture of a login
and logoff event from my test setup here: [image:
https://lh3.googleusercontent.com/-H9L2X9WhUJc/UQfYSFvvO4I/AAAAAAAADcw/2XrtPw0dNTU/s598/LogonLogoff.jpg]

Quick description of the test environment that I spotted this in:

* Sentinel 7.0.2
* Windows Server 2008R2 DC and WECS server
* Windows 7 Event source.
* Latest collector and connector for Windows (Jan 2013 collector tried
older collector first)


--
alanforrest
------------------------------------------------------------------------
alanforrest's Profile: https://forums.netiq.com/member.php?userid=363
View this thread: https://forums.netiq.com/showthread.php?t=46661

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Windows Log off Events

While I cannot say I've noticed this before, my guess at why is that
customers have never cared as much for logouts, or even logins, as they
have things with more security implications (like accessing protected
resources). A login is the start of access, surely enough, but it often
only happens once in a Kerberos environment and then subsequently there
are tickets granted for access to other resources vs. more logins. A
logout, though, just means the session ended (not much security
implication other than now the user should no longer be accessing things
within that environment unless there are other active sessions separate
from this one).

As another possibly-unhelpful note, a lot of Security audit settings are
not enabled by default; if you are getting logout/logoff stuff then it's
likely that what you see is what you get, but maybe there's also a way to
get more detail from current events. That would be different from my
experience in configuring auditing in a microsoft active directory (MAD)
world, but I also do not memorize all possibilities in that world.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Windows Log off Events


Yeah, I thought it was interesting that the events at the MAD side don't
seem to have a uniform set of information in them. I will have a dig
about and see what other settings can be enabled to add more details. I
just thought it was interesting and wondered if anyone else had noticed
😉


--
alanforrest
------------------------------------------------------------------------
alanforrest's Profile: https://forums.netiq.com/member.php?userid=363
View this thread: https://forums.netiq.com/showthread.php?t=46661

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.