1 Reply Latest reply on Oct 4, 2017 6:45 AM by jimjim

    Domain Admin login event log forwarding?

    cplasse

      Hello,

       

          I'm currently trying to get the logs of where (what IP) and when (date and time) the Domain Administrator account information is used to log into one of three specific machines (2 DC's, and a Finance server). I'm having some trouble defining the subscription in the Kiwi Log Forwarder - Specifically, what boxes do I need to tick off and what event ID number do I need to include? I have the IP's for the three servers that I want AD to send the Admin login logs from. Thanks!

        • Re: Domain Admin login event log forwarding?
          jimjim

          If all you want is a simple log on and log off then these two IDs should work fine. 4624 is your logon Id and 4634 is your logoff.

           

          If you have windows event log forwarder configured to forward event viewer>security logs then all you need to do is build a filter on the syslog server or web access. If you don't have it configured already you can try this.  In event log forwarder you can select event viewer and check security. Then you can add the two above event ID's in the include or exclude field.

           

          I would build a RegExp filter to get a specific report and email alert for this event. Build the filter with the event IDs in the include field. Add the username to the and field. This should only show you logons and logoffs from the user ID you are looking for. You can also add the IPs of the servers but i wouldn't limit it to just IPs. I would want to know anytime the domain admin account logs on.

           

          The include field in the filter would look like this "\b4624\b" "\b4634\b". The \b will make sure that the event ID is matched exactly.

          The and field would look like this "username". Just add more users names if you have more than one domain admin.

          1 of 1 people found this helpful