There is no reliable way to tell that an interactive user has "logged off" in Windows. Mostly because AD doesn't record an interactive logoff on the domain controller. All the log-off messages you see on the DC are for network sessions (e.g. accessing network drives/printers). You can get some log off messages from the individual computers the user logs into, but even then it's not really reliable (i.e. the user can just power off the computer) and now you have to figure out how to get logs from every computer on the network.
The best way I've found to determine if a user logs out is through trending. If you look at graph of a weeks worth of DC log activity, filtered by the user you're interested in, you can clearly see when they've logged in and out. It's not as precise and you can't script things to it, but it works. On Thursday, March 14, 2013 12:36:40 PM UTC-7, m0dpr0b3 wrote: > > Hello there, > I need a right direction to audit alerts.log > I need know accuralety which hours an user login and loggout in Active > Directory Domain. > I've Windows 2008 and 2003 ( primary and secundary, respectively ) > Ossec agents is installed on both servers > > * Alert 1354354465.98266105: - windows,authentication_success, > 2012 Dec 01 07:34:25 (AD_PRIMARy) 10.15.1.221->WinEvtLog > Rule: 18107 (level 3) -> 'Windows Logon Success.' > User: [email protected] <javascript:> > WinEvtLog: Security: AUDIT_SUCCESS(4769): > Microsoft-Windows-Security-Auditing: [email protected] <javascript:>: > DOMAIN.COM: AD_PRIMARY.DOMAIN.COM: A Kerberos service ticket was > requested. Account Information: Account Name: [email protected]<javascript:> > Account > Domain: DOMAIN.COM Logon GUID: {68BDA460-CABF-74CC-B467-FCCB9A6771CB} > Service Information: Service Name: FILESHARE$ Service ID: > S-1-5-21-924963825-40351264-2638664145-4527 Network Information: Client > Address: ::ffff:1.1.1.1 Client Port: 1182 Additional Information: > Ticket Options: 0x40800000 Ticket Encryption Type: 0x17 Failure Code: > 0x0 Transited Services: - This event is generated every time access is > requested to a resource such as a computer or a Windows service. The > service name indicates the resource to which access was requested. > > > I will need filter events, my doubt is: Can I have false positives. Which > is the better way to identify logins and logouts of user accurately.. > > Regards, > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
