Windows Event Log Experts - Identifying A User Login To Windows..How?
Posted on 2007-07-31
Hi Experts ,
i have a system which analyzes the windows event log ..parses it and inserts that to a db which i can read later on (sim product).
ive tried looking into windows events and analyze which windows events does the dc generate in a case of a logon to the domain.
im trying to see which events should i be aware of (672..680..etc) when a user logs in (NTLM AND Kerb) , more like which events are generated and in what form (for a false example say - event 1 , then 300 , then 400 will indicate a user login...) , i know this is big to comprahand so ill make it even shorter.
im gonna make a rule who will notify me about interactive login at night (24:00 till morning) , which events should i catch and be sure - Joe did a login at 01:00..(then further on ill look what he did on other systems)..