Navigation:  Monitoring with EventSentry > Compliance Tracking > Logon Tracking >

Network Logons

 Top  Previous  Next

With network logon tracking you can collect a wide variety of information about successful and failed logins on your network. Network logon tracking is useful in a variety of scenarios:

 

Regulatory Compliance
Network Security Review
Troubleshooting
Network Logon Statistics

 

For example, the following statistics / reports can be created with the data gathered:

 

Most common reasons for failed logons
Servers / Workstations with most failed logons
Most common logon types (e.g. service, interactive, etc.)
Protocol distribution (e.g. NTLM vs. Kerberos)
and much more

 

clip0592

 

Logon Failure Analysis

This report documents all authentications to domain controllers by users. Note that whenever such a user logs onto their own workstation or member server, this will generate a Network logon to a DC since the user’s workstation must access the domain controller under the user’s credentials to apply Group Policy / User Configuration.

 

Event Log 32 n t

Event IDs

Logon Failure Analysis

 

Windows NT, Windows 2000, Windows XP, Windows 2003

672, 675, 676, 680, 681

 

Windows Vista, Windows 2008

4768, 4771, 4776

 

Domain Account Authentication

This report documents all authentications to domain controllers by users. Note that whenever such a user logs onto their own workstation or member server, this will generate a Network logon to a DC since the user’s workstation must access the domain controller under the user’s credentials to apply Group Policy / User Configuration.

 

Event Log 32 n t

Event IDs

Domain Account Authentication

 

Windows NT, Windows 2000, Windows XP, Windows 2003

672, 673, 680

 

Windows Vista, Windows 2008

4768, 4769, 4776

 

User Logon By Server Type

This report documents all logons to monitored servers. It provides the following:

Complete record of all attempts to access the computer, regardless of the type of account used
Type of logon and logon process
IP address and name of the client computer

 

Event Log 32 n t

Event IDs

User Logon By Server Type

 

Windows NT, Windows 2000, Windows XP, Windows 2003

528-537, 539, 540

 

Windows Vista, Windows 2008

4624, 4625

 

Due to the number of events generated by Windows, this feature may record a large number of events. You can set the "Severity" option to "Audit Failures Only" to reduce the number of events that are captured by this feature. If you are required by law to capture this data, then verify with your compliance officer (and/or audit requirements) to ensure that you can change this setting and still remain compliant.

 

Perform additional host name or reverse lookup through DNS

When the logon id contained in the logon event (only applies to audit success events) can be linked (correlated) to an earlier logon session, then EventSentry will include the IP address and/or host name. In the case that only the host name or IP address are available, a DNS (reverse) lookup will be performed to gather the missing information.

 

Due to the nature of DNS lookups, this information might not 100% accurate and should not be solely relied upon.