How are you sending the Windows event logs to a syslog server? Is that Kiwi as well?
-------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 7:19 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > I've evaluated and have recommended MonitorWare to our > Security Director for > the needs of our environment which is combined Enterprise with Cisco, > Windows, Unix (all flavors) ACDs, and Tandem systems. > > Clearly, our ability to send syslog formatted logs makes > sense, as we're not > the only players, just a bit more adaptable. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rittenhouse, Cindy > Sent: Wednesday, August 06, 2003 3:11 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Anonymous Logon > > Does anyone have any experience with MonitorWare. Since I'll > need a syslog > server, I'd like one that will also work with the logs on our > Cisco devices? > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2003 23:03 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > If you're going to have to keep all audit entries, you're > going to have a > tough time. I can help decipher these records for you (I do a lot of > this!), but in a nutshell you've recorded a successful logoff > (the Event > 538) and a successful network logon via the Kerberos > authentication package > by the user PSDC1 - who looks to be a machine. In fact, one > of your DCs. > Yes, they do logon and logoff of the domain - typically to connect to > services that it needs. This one (the Event 540) was a logon > to the domain, > where the previous was not a logoff from the domain proper. > > A Logon type 3 tells you that it was via the network, while a > type 2 is > interactive (too bad you can't tell if it was actually at the > console). > Less common types are 4 (batch), 5 (service), 7 (unlocked > workstation), 8 > (plaintext password) or 9 (impersonated logon). > > The Logon process and authentication package notes what type > of process was > spawned to authenticate the user from the point it connected > to the session > through authentication. You might see Kerberos (network), > NTLM (network), > or User32/Negotiate (Local). Realm associated events to MIT > Kerberos realms > should record as Kerberos authentication. > > Bottom line: Ignore the SYSTEM (usually a service doing what > it needs) and > the machine name events logging on. They are irrelevant and generally > service and process related to normal operation of the network. Do, > however, take note of the user logon and logoffs. The Logon > ID field will > stay with the user from Logon through the logoff of this session. You > should be able to always associate a 540 Event to a > corresponding 538 Event. > However, be vigilant that a 538 is not always the same. One > might indicate > a network logoff, one might indicate and net use > disconnection and another > might record an Interactive logoff or an auto disconnect. > > As to what to do about spurious events that mean nothing when > dealing with > user activity, I'd suggest a more manageable solution such as a syslog > server for Windows events and filter the records that you > want going to the > syslog server. This not only collects all of the server's > audit events at > one place but also allows you to get rid of the events that > play no part in > true auditing of the server. > > Do a Google search on Windows Syslog and you'll find a number > of options - > one of which should suit. > > Hope this helps! > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rittenhouse, Cindy > Sent: Tuesday, August 05, 2003 3:03 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Anonymous Logon > > Rick, > The security logs in question are on my Windows 2000 domain > controllers, > PSDC1 and PSDC2. When I Audit Logon Events, the log fills > with Event 538 NT > Authority\Anonymous Logon User Logoff: > User Name: ANONYMOUS LOGON > Domain: NT AUTHORITY > Logon ID: (0x0,0xCB82F) > Logon Type: 3 > > and Event 540 NT Authority\System Logons Successful Network Logon: > User Name: PSDC1$ > Domain: LC_POLICE > Logon ID: (0x0,0xCBE63) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > > These don't appear to give me any specific information. > > I need to keep records for 3 years that show when a user > logged onto the > network and from which workstation. When I audit Account > Logon, I get the > information, but the user is always System, so there is no easy way to > filter for a specific user name. When I use Audit Logon > events, I can filter > by user name, but I'm filling 75% of the log with Anonymous and System > logons. I'm generating about 8MB of security log daily > between the two DCs, > so I'm not sure what is the most efficient way to configure > the audit policy > on my DCs. It seems that either way, the logs fill with quite a bit of > basically useless information. > > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 18:26 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > My initial thought on this, understanding the process, is > that everyone is > Anonymous when they first hit the server. A record of this > 'anonymous' > access is made, and the process continues where you actually identify > yourself. > > Clearly, this is going to be different if you are running a > web server, > where the access might be mostly anonymous, unless set to > some manner of > authentication (Windows, Basic, etc.) > > Now, for more detail, if you want to post some of the records > that you're > seeing (you should be able to follow the authentication trail > via the ID's > in the audit records) I can help you identify what is going > on and what the > anonymous access is all about. It would help to know what > type of server > this is, as well. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rittenhouse, Cindy > Sent: Monday, August 04, 2003 1:35 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Anonymous Logon > > I successfully upgraded my NT domain to AD yesterday. I now find my DC > security log on the PDC emulator filling up twice a day. It > is set to 2048 > KB, do not overwrite (I have to save them for 3 years). The > majority of > events are Anonymous logons. Is it normal to have this > quantity of Anonymous > logons? > > Cynthia Rittenhouse MCSE,CCNA > LAN Administrator > County of Lancaster > Lancaster, PA 17602 > Phone: (717)293-7274 > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
