Converse agora com nosso suporte
Chat com o suporte

Change Auditor for Logon Activity 7.1 - Event Reference Guide

Introduction

Information about login and log out activity is important for regulatory compliance and user activity tracking. There are two auditing modules provided to allow you to collect this important activity:
The Change Auditor for Logon Activity User auditing module enables server agents to generate the following events:
Authentication activity (interactive, remote interactive and network logins) including successful and failed logins performed on monitored servers
Domain Controller authentication activity (Kerberos), including successful and failed requests (Domain Controller agents only)
User log on session activity (the actual time spent on a server)
The Change Auditor for Logon Activity Workstation auditing module enables workstation agents to generate the following events:
Authentication activity (interactive, remote interactive and network logins), including successful and failed logins performed on monitored workstations
User log on session activity (the actual time spent on a workstation)
* 
NOTE: Network login and successful domain authentication (Kerberos) events are disabled by default and must first be enabled in the client before they are captured. Use the Audit Events page on the Administration Tasks tab to enable events.
* 
NOTE: Starting with Change Auditor 6.5, these auditing modules eliminate the dependency on Quest InTrust and the Change Auditor Data Gateway Service to capture login activity.

This guide lists the events captured by these two Change Auditor for Logon Activity auditing modules. Separate event reference guides are available that list the core Change Auditor events (when any Change Auditor license is applied) and the events captured when the different auditing modules are licensed.

 

Change Auditor for Logon Activity Events

This section lists the audited events captured by the two Change Auditor for Logon Activity auditing modules. They are listed in alphabetical order by facility:
Authentication Activity
Domain Controller Authentication
Logon Session

 

* 
IMPORTANT: When expecting large numbers of events, it may be necessary to increase the Max Events per Connection setting in the client (Agent Configuration on the Administration Tasks tab) to avoid an ever-increasing backlog of events waiting to be sent from the agent to the coordinator database.
* 
NOTE: To view a complete list of all events, open the Audit Events page on the Administration Tasks tab in the client. This page contains a list of all the events available for auditing by Change Auditor. It also displays the facility to which the event belongs, the severity assigned to each event, if the event is enabled or disabled, and the type of license that is required to capture each event.
 

Authentication Activity

* 
IMPORTANT: To capture Authentication Activity events, you must first enable (that is, set to Success,Failure) the ‘Audit Logon events’ audit policy for all servers and workstations.

Domain - Group Policy:
Default Domain Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events

Workgroup - Local Group Policy:
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events
* 
NOTE: Authentication Activity events for servers are available with the Change Auditor for Logon Activity User auditing module. Authentication Activity events for workstations require the Change Auditor for Logon Activity Workstation auditing module and workstation agents to be deployed to the workstations to be monitored.
 
Table 1. Authentication Activity events
Event
Description
Severity

User failed to log on interactively

Created when a user failed to log on interactively to a computer.

Windows Event equivalent: 529/4625

Medium

User failed to log on interactively from a remote computer

Created when a user failed to log on interactively from a remote computer.

Windows Event: 529/4625

Medium

User failed to perform a network logon from a remote computer

Created when a user failed to log on from a remote computer on the network. (Disabled by default)

Windows Event equivalent: 529/4625

Medium

User logged on interactively

Created when a user successfully logged on interactively to a computer.

Windows Event equivalent: 528/4624

NOTE: When logging onto a monitored Windows 2012 or 2012 R2 server or a Windows 8 or 8.1 workstation, you may see additional events with ‘Windows Manager\DWM-n’ in the who information. This is expected behavior because the logon is being performed by the system.

Medium

User logged on interactively from a remote computer

Created when a user successfully logged on interactively from a remote computer.

Windows Event equivalent: 528/4624

Medium

User performed a successful network logon from a remote computer

Crated when a user successfully logged on from a remote computer on the network. (Disabled by default)

Windows Event equivalent: 540/4624

Medium

User performed a successful NTLM V1 logon

Created when a user successfully logged into server through NTLM V1. (Disabled by default)

Medium

User performed a successful NTLM V2 logon

Created when a user successfully logged into server through NTLM V2. (Disabled by default)

Low

Domain Controller Authentication

* 
NOTE: Domain Controller Authentication events are only available with the Change Auditor for Logon Activity User auditing module. They are not available with the Change Auditor for Logon Activity Workstation auditing module.
* 
NOTE: The following Domain Controller Authentication events do not require Windows native auditing enabled and are recorded in Change Auditor even if they are not recorded in the Windows Event log:
User authenticated through Kerberos
User failed to authenticate through Kerberos
 
Table 2. Domain Controller Authentication events
Event
Description
Severity

Kerberos user ticket that exceeds the maximum ticket lifetime detected

A Kerberos user ticket can be used to verify your identity and gain access to specific resources or services in your domain. A golden ticket is a forged Kerberos ticket.

An attack using a golden ticket is extremely dangerous due to the forged identity, elevated access it allows, and because it can be reused over its lifetime (10 years by default).

This event is created when the Kerberos Ticket Lifetime value in agent configuration is exceeded indicating a possible golden ticket attack.

High

User authenticated through Kerberos

Created when a user successfully authenticated to a domain controller using Kerberos authentication. (Disabled by default)

Medium

User failed to authenticate through Kerberos

Created when a user failed to authenticate to a domain controller using Kerberos authentication.

Medium

User authenticated through NTLM

Created when a user successfully authenticated to a domain controller using NTLM authentication. (Disabled by default)

Low

User failed to authenticate through NTLM

Created when a user failed to authenticate to a domain controller using NTLM authentication.

Medium

Ferramentas de autoatendimento
Base de conhecimento
Notificações e alertas
Suporte a produtos
Downloads de software
Documentação técnica
Fóruns de usuário
Tutorial em vídeo
Feed RSS
Fale conosco
Obtenha assistência de licenciamento
Suporte técnico
Visualizar tudo
Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação