Collect Netlogon Debug Log.
The supported format is:
Date Time [Category] [PID] Message
Example:
08/15 09:39:53 [MISC] [900] Logfile truncated because it was larger than 50000 bytes
1. Enable Netlogon: Nltest /DBFlag:2080FFFF, net stop netlogon, net start netlogon. Disable Netlogon: Nltest /DBFlag:0x0, net stop netlogon, net start netlogon.
2. Due to the log rollover collecting the live netlogon.log does not make sense, because we don't know the moment of rollover and might lose events. The workaround is to collect the backup file netlogon.bak.
3. Please adjust MaximumLogFileSize registry parameter in your registry and/or the task schedule period so that the task triggers more often than the file is rewritten.
4. InTrust cannot collect multiline events and lines without date. As a result each line beginning from date will represent a separate event, and lines without date will be skipped.
5. The line is broken into 4 parts:
Date Time goes to "Insertion String #1" and into fields "Time" and "When"
Category goes to "Insertion String #2" and "Category"
PID goes to "Insertion String #3"
Message goes to "Insertion String #4"
The above 4 parts altogether go to "Description"
Also, the following fields are filled up:
Agent computer name goes to "Source Computer"
0 goes to "Event ID"
"Netlogon" goes to "Log"
"netlogon debug" goes to "Source"
Setup
1. Create a Site in InTrust Manager which contains the network objects you want to collect Netlogon log from.
2. Create a Repository for Netlogon log or pick one from the existing configuration.
3. Find out the tool InTrustPDOImport.exe in the InTrust installation folder or on InTrust DVD.
4. Copy cmd file and 2 xml files to the folder where InTrustPDOImport.exe reside.
5. Open command prompt as administrator and under account with InTrust Administrator privileges run InTrustPDOImport_ImportNetlogon.cmd (the correct result would be "Import finished" twice):
E:\Program Files (x86)\Quest\InTrust\Server\ADC\SupportTools>InTrustPDOImport_ImportNetlogon.cmd
E:\Program Files (x86)\Quest\InTrust\Server\ADC\SupportTools>InTrustPDOImport.exe -import "Netlogon Debug Log Data Source.xml"
Quest InTrust PDO Import Utility version 11.4.1.4837
Copyright 2018 Quest Software Inc. ALL RIGHTS RESERVED.
Importing ...
Import finished.
E:\Program Files (x86)\Quest\InTrust\Server\ADC\SupportTools>InTrustPDOImport.exe -import "Netlogon Debug Log Gathering Policy.xml"
Quest InTrust PDO Import Utility version 11.4.1.4837
Copyright 2018 Quest Software Inc. ALL RIGHTS RESERVED.
Importing ...
Import finished.
6. Refresh (or reopen) InTrust Manager and locate the new policy named "Netlogon Debug Log" under Gathering | Gathering Policies | Microsoft Windows Network.
7. Right click on it and "Apply to Site". Pick the Site mentioned in the step 1. Create new schedule. To run the task every hour set "Repeat Task every 1 hour, with duration 24 hours".
8. Enable schedule.
9. Pick the repository to collect to.
10. Finish the wizard and commit all changes (right click on Quest InTrust Manager root node, Commit).
11. After the first successful gathering session open Repository Viewer and observe the repository you collect to. Create a custom Search with a layout containing fields mentioned in the note #5.
© ALL RIGHTS RESERVED. Feedback 이용 약관 개인정보 보호정책 Cookie Preference Center