[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Multiple 4624 and 4634 events for every logon and logoff

Posted on 2010-03-31
9
Medium Priority
?
6,127 Views
Last Modified: 2012-05-09
I'm getting 3-5 logon (4624) and multiple 4634 events for every logoff. I'm trying to narrow these down to the actual event of logging on and logging off,but with so much noise it it hard to figure out the real event.

Anyone have suggestions on filtering this stuff or seeking an alternative method of obtaining the logon/logoff events/actions.
0
Comment
Question by:RLUNT
  • 5
  • 4
9 Comments
 
LVL 21

Expert Comment

by:gemarti
ID: 29272081
What is the logon type noted in the event? Many times this could just be a local service starting up or shutting down.

You can start by disabling all services one at a time until you narrow down the source of the event. If the service isn't needed then don't start it up. Service logons are usually "Logon Type: 5"



0
 
LVL 21

Expert Comment

by:gemarti
ID: 29280557
BTW: You can use this tool (http://technet.microsoft.com/en-us/sysinternals/bb896769.aspx) to determine what accounts are logged on and what service they are using. This may be quicker than trying to disable services etc.

0
 
LVL 1

Author Comment

by:RLUNT
ID: 30850542
No solution has been presented. All the above suggestions don't address the fundamental question of how to get to the root login event efficiently. Scouring through services, etc. turning them off is the equivilent of counting grains of rice when handling enterprise issues. I was looking for some insight as to an advance filtering of event to get to the root login event for the user. Therfore no points will be awarded.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LVL 21

Expert Comment

by:gemarti
ID: 30874830
perhaps if you would have answered the question I asked I could have provided you with a succinct answer. Your question was vague and non specific; this is why you didn't get what you wanted. But the suggestions I provided are valid answers to the basic premise of your question.

Running a filter to find all service logons would quickly tell you if a service was causing the event you were looking for so I'm not too sure I understand the justification of your comment.



 
0
 
LVL 1

Author Comment

by:RLUNT
ID: 30919574
Ah there's the rub. What is the question? From my perspective it was suscint, but reviewing it I can see that a different perspective would garner your response. Therefore, I'll rephrase:

I want to review the thousands of people logging into my network and get the specific 'login' event and the specific 'logout' event. I don't want all the other junk that MS provides for all the services, etc, etc. etc.  The root of this is to know when a person logs in and logs out. Nothing more. The local WS has distinct events for this, but that would require trapping events on every workstation.  I built a service to trap these on the WS level, but with 1000 WS it is painful to update. Supposedly the 'Audit' feature of a Windows Server should replicate this workstation capabilites within the server 'Security Event log.'  But as I found out MS decided not to replicate the process but to go overboard even to the extent of using the same event ID for multiple events. As seen within the body of the event. However MS was inconsistent with the use of the body, sometimes populating the source, etc. etc etc. Sometimes sending the corresponding logoff, sometimes not.  Thus, rendering the current 4624 and 4634 events virtually useless unless you focus on one workstation and sift slowly through the noise. But on a large scale it is beyond painful.

I have not found anyone who has definitively resolve the ability to know when a perons logs on to a domain and logs off the domain. Many writings (forums, google, msdn)  say "Turn on Auditing" but after that the specifics fade into the ether. I can imagine they fade because of the above issue and no one knows how to resolve the excess/noisy information problem.  Thus, it is troubling to hear some write they 'know' how to monitor logon/logoff on a large network and then provide only 33% of the solution. Why answer the qestion when you can't provide the whole solution. This is not directed at you but the public at large for offering a solution that is not a solution.

So, please accept my appology for the above comment. You were addressing the question I asked, not the question I thought I asked.

If you have any insight to the above situation I would appreciate your input.

Regards

0
 
LVL 21

Accepted Solution

by:
gemarti earned 1000 total points
ID: 30921091
Perhaps two simple scripts and a sql database would provide you with a solution?

I think I understand your extended comments; you want a log of when a user logs on and logs off your domain controller you aren't interested in services starting up or what account is used to start those services.

If you are in AD one possible approach is to setup two scripts that would run when a user logs on and logs off the network. The scripts would quickly record the user name, computer name, date and time of log entry and whether the user was logging on or off. Would that get to the root of your request? Or are you wanting more specific information? If so what specific information do you need to know?

I understand you have done extensive research on the event logs and don't wish to deal with the complexity or quantity of information stored in those logs; if I'm correct I think a customized solution is the only viable option.
0
 
LVL 1

Author Closing Comment

by:RLUNT
ID: 31763332
Take this as a extreme complement, you have what my wife does to me frequently. When looking at a complicated answer she punches me in the head with a common sense approach.

Thanks
0
 
LVL 21

Expert Comment

by:gemarti
ID: 30926745
I'm pretty sure I don't like being compared with a woman...especially your wife (I'm sure she is a wonderful woman) but I'll take your compliment; hope it all works out.

Thanks.
0
 
LVL 1

Author Comment

by:RLUNT
ID: 30928270
Ah, it is the most sincerest complement. She is great, smart and a geek.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question