Thanks to all for the references and responses. I think I'm on the right path, I've ordered the MonitorWare.
-----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 00:22 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Nope - MonitorWare. Tested it and it worked well in the homogenous environment. Fairly configurable and it will allow me to use eventcomb first to determine what logs I want to send. This was I can get rid of the Service and SYSTEM related events and the extraneous 'crap' (technical term, you know) that has absolutely nothing to do with anything of value. http://www.eventreporter.com/en/ Regards, Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, August 07, 2003 8:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon How are you sending the Windows event logs to a syslog server? Is that Kiwi as well? -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 7:19 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > I've evaluated and have recommended MonitorWare to our Security > Director for the needs of our environment which is combined Enterprise > with Cisco, Windows, Unix (all flavors) ACDs, and Tandem systems. > > Clearly, our ability to send syslog formatted logs makes sense, as > we're not the only players, just a bit more adaptable. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, > Cindy > Sent: Wednesday, August 06, 2003 3:11 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Anonymous Logon > > Does anyone have any experience with MonitorWare. Since I'll need a > syslog server, I'd like one that will also work with the logs on our > Cisco devices? > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2003 23:03 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > If you're going to have to keep all audit entries, you're going to > have a tough time. I can help decipher these records for you (I do a > lot of this!), but in a nutshell you've recorded a successful logoff > (the Event > 538) and a successful network logon via the Kerberos authentication > package by the user PSDC1 - who looks to be a machine. In fact, one > of your DCs. > Yes, they do logon and logoff of the domain - typically to connect to > services that it needs. This one (the Event 540) was a logon to the > domain, where the previous was not a logoff from the domain proper. > > A Logon type 3 tells you that it was via the network, while a type 2 > is interactive (too bad you can't tell if it was actually at the > console). > Less common types are 4 (batch), 5 (service), 7 (unlocked > workstation), 8 (plaintext password) or 9 (impersonated logon). > > The Logon process and authentication package notes what type of > process was spawned to authenticate the user from the point it > connected to the session through authentication. You might see > Kerberos (network), NTLM (network), or User32/Negotiate (Local). > Realm associated events to MIT Kerberos realms should record as > Kerberos authentication. > > Bottom line: Ignore the SYSTEM (usually a service doing what it > needs) and the machine name events logging on. They are irrelevant > and generally service and process related to normal operation of the > network. Do, however, take note of the user logon and logoffs. The > Logon ID field will stay with the user from Logon through the logoff > of this session. You should be able to always associate a 540 Event > to a corresponding 538 Event. > However, be vigilant that a 538 is not always the same. One might > indicate a network logoff, one might indicate and net use > disconnection and another might record an Interactive logoff or an > auto disconnect. > > As to what to do about spurious events that mean nothing when dealing > with user activity, I'd suggest a more manageable solution such as a > syslog server for Windows events and filter the records that you want > going to the syslog server. This not only collects all of the > server's audit events at one place but also allows you to get rid of > the events that play no part in true auditing of the server. > > Do a Google search on Windows Syslog and you'll find a number of > options - one of which should suit. > > Hope this helps! > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, > Cindy > Sent: Tuesday, August 05, 2003 3:03 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Anonymous Logon > > Rick, > The security logs in question are on my Windows 2000 domain > controllers, > PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event > 538 NT Authority\Anonymous Logon User Logoff: > User Name: ANONYMOUS LOGON > Domain: NT AUTHORITY > Logon ID: (0x0,0xCB82F) > Logon Type: 3 > > and Event 540 NT Authority\System Logons Successful Network Logon: > User Name: PSDC1$ > Domain: LC_POLICE > Logon ID: (0x0,0xCBE63) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > > These don't appear to give me any specific information. > > I need to keep records for 3 years that show when a user logged onto > the network and from which workstation. When I audit Account Logon, I > get the information, but the user is always System, so there is no > easy way to filter for a specific user name. When I use Audit Logon > events, I can filter by user name, but I'm filling 75% of the log with > Anonymous and System logons. I'm generating about 8MB of security log > daily between the two DCs, so I'm not sure what is the most efficient > way to configure the audit policy on my DCs. It seems that either way, > the logs fill with quite a bit of basically useless information. > > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 18:26 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > My initial thought on this, understanding the process, is that > everyone is Anonymous when they first hit the server. A record of > this 'anonymous' > access is made, and the process continues where you actually identify > yourself. > > Clearly, this is going to be different if you are running a web > server, where the access might be mostly anonymous, unless set to some > manner of authentication (Windows, Basic, etc.) > > Now, for more detail, if you want to post some of the records that > you're seeing (you should be able to follow the authentication trail > via the ID's in the audit records) I can help you identify what is > going on and what the anonymous access is all about. It would help to > know what type of server this is, as well. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, > Cindy > Sent: Monday, August 04, 2003 1:35 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Anonymous Logon > > I successfully upgraded my NT domain to AD yesterday. I now find my DC > security log on the PDC emulator filling up twice a day. It is set to > 2048 KB, do not overwrite (I have to save them for 3 years). The > majority of events are Anonymous logons. Is it normal to have this > quantity of Anonymous logons? > > Cynthia Rittenhouse MCSE,CCNA > LAN Administrator > County of Lancaster > Lancaster, PA 17602 > Phone: (717)293-7274 > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/