Hello shadeninx ! Thank you ! In fact, what you said is true, but filtering logs, I can see a default behavior, with login and the last log entry is loggoff ( in most times, if the especified user really shutdown workstation ).
Regards 2013/3/20 shadejinx <[email protected]> > There is no reliable way to tell that an interactive user has "logged off" > in Windows. Mostly because AD doesn't record an interactive logoff on the > domain controller. All the log-off messages you see on the DC are for > network sessions (e.g. accessing network drives/printers). You can get some > log off messages from the individual computers the user logs into, but even > then it's not really reliable (i.e. the user can just power off the > computer) and now you have to figure out how to get logs from every > computer on the network. > > The best way I've found to determine if a user logs out is through > trending. If you look at graph of a weeks worth of DC log activity, > filtered by the user you're interested in, you can clearly see when they've > logged in and out. It's not as precise and you can't script things to it, > but it works. > > > On Thursday, March 14, 2013 12:36:40 PM UTC-7, m0dpr0b3 wrote: > >> Hello there, >> I need a right direction to audit alerts.log >> I need know accuralety which hours an user login and loggout in Active >> Directory Domain. >> I've Windows 2008 and 2003 ( primary and secundary, respectively ) >> Ossec agents is installed on both servers >> >> * Alert 1354354465.98266105: - windows,authentication_**success, >> 2012 Dec 01 07:34:25 (AD_PRIMARy) 10.15.1.221->WinEvtLog >> Rule: 18107 (level 3) -> 'Windows Logon Success.' >> User: [email protected] >> WinEvtLog: Security: AUDIT_SUCCESS(4769): >> Microsoft-Windows-Security-**Auditing: >> [email protected]: DOMAIN.COM: AD_PRIMARY.DOMAIN.COM: A Kerberos service >> ticket was requested. Account Information: Account Name: >> [email protected] Account Domain: DOMAIN.COM Logon GUID: >> {68BDA460-CABF-74CC-B467-**FCCB9A6771CB} Service Information: Service >> Name: FILESHARE$ Service ID: S-1-5-21-924963825-40351264-**2638664145-4527 >> Network Information: Client Address: ::ffff:1.1.1.1 Client Port: 1182 >> Additional Information: Ticket Options: 0x40800000 Ticket Encryption >> Type: 0x17 Failure Code: 0x0 Transited Services: - This event is >> generated every time access is requested to a resource such as a computer >> or a Windows service. The service name indicates the resource to which >> access was requested. >> >> >> I will need filter events, my doubt is: Can I have false positives. Which >> is the better way to identify logins and logouts of user accurately.. >> >> Regards, >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
