Does Windows 2003 provide better logging than the event viewer? I've
enabled success and failure for logins but it doesn't provide me with useful
information (what the attempted password was, IP address if any -- for
remote logon, etc.). Even the successful login info is dissapointing to me
since it doesn't provide any info about the computer used to logon.

Thanks.

IP address was supposed to be added in W2K3... I haven't looked, are you saying you have looked and it isn't there?
Password that was used is definitely not there and I would kick MS's ass if they even thought of doing that. That would
be a horrible security issue even if it were feasible (passwords aren't generally passed in clear text, it is usually a
hash/nonce scheme).

--
Joe Richards
www.joeware.net

--

"Herb Martin" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> > Does Windows 2003 provide better logging than the event viewer? I've
> > enabled success and failure for logins but it doesn't provide me with
> useful
> > information (what the attempted password was, IP address if any -- for
> > remote logon, etc.). Even the successful login info is dissapointing to
> me
> > since it doesn't provide any info about the computer used to logon.
>
> No.
>
> I am considering writing something to associate Snort
> logs with Event logs to get this info.
>
> MS designed the Logon auditing prior to "public networks"
> and all IP so no provision for giving the IP address was included --
> instead we get the Machine name, which of course as you note,
> is only useful for local machines.
>
> IP address NEEDS to be added.
>
>

I just fired up my 2k3 laptop and slammed it with some bad hits and it is logging ip addresses. It is listed in the 529
events under Source Network Address.

Also it records IP's from successful logons as well.

--
Joe Richards
www.joeware.net

--

"Greg" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
> IP logging doesn't appear to be in Windows 2003 since that's what I'm
> running and I'm not seeing an IP address in the event logs.
>
> "Joe Richards [MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > IP address was supposed to be added in W2K3... I haven't looked, are you
> saying you have looked and it isn't there?
> > Password that was used is definitely not there and I would kick MS's ass
> if they even thought of doing that. That would
> > be a horrible security issue even if it were feasible (passwords aren't
> generally passed in clear text, it is usually a
> > hash/nonce scheme).
> >
> > --
> > Joe Richards
> > www.joeware.net
> >
> > --
> >
> > "Herb Martin" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > > > Does Windows 2003 provide better logging than the event viewer? I've
> > > > enabled success and failure for logins but it doesn't provide me with
> > > useful
> > > > information (what the attempted password was, IP address if any -- for
> > > > remote logon, etc.). Even the successful login info is dissapointing
> to
> > > me
> > > > since it doesn't provide any info about the computer used to logon.
> > >
> > > No.
> > >
> > > I am considering writing something to associate Snort
> > > logs with Event logs to get this info.
> > >
> > > MS designed the Logon auditing prior to "public networks"
> > > and all IP so no provision for giving the IP address was included --
> > > instead we get the Machine name, which of course as you note,
> > > is only useful for local machines.
> > >
> > > IP address NEEDS to be added.
> > >
> > >
> >
> >
>
>

I am not sure it can be in W2K, from what I understand there were some considerable changes in some of the NetBIOS/IP
stuff to get the IP address up to the netbios provider for the logging.

--
Joe Richards
www.joeware.net

--

"Herb Martin" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> "Joe Richards [MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > IP address was supposed to be added in W2K3... I haven't looked, are you
> saying you have looked and it isn't there?
> > Password that was used is definitely not there and I would kick MS's ass
> if they even thought of doing that. That would
> > be a horrible security issue even if it were feasible (passwords aren't
> generally passed in clear text, it is usually a
> > hash/nonce scheme).
>
> No, I haven't looked for that in Win2003 -- it isn't in SP4 of Win2000
> for sure.
>
> If it's in Win2003, I probably won't bother writing the Snort log/Event log
> comparison.
>
>

I'm seeing it now as well too (just did a clean install of it). Not sure
why it wasn't showing it before.

"Joe Richards [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I just fired up my 2k3 laptop and slammed it with some bad hits and it is
logging ip addresses. It is listed in the 529
> events under Source Network Address.
>
> Also it records IP's from successful logons as well.
>
> --
> Joe Richards
> www.joeware.net
>
> --
>
> "Greg" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> > IP logging doesn't appear to be in Windows 2003 since that's what I'm
> > running and I'm not seeing an IP address in the event logs.
> >
> > "Joe Richards [MVP]" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > IP address was supposed to be added in W2K3... I haven't looked, are
you
> > saying you have looked and it isn't there?
> > > Password that was used is definitely not there and I would kick MS's
ass
> > if they even thought of doing that. That would
> > > be a horrible security issue even if it were feasible (passwords
aren't
> > generally passed in clear text, it is usually a
> > > hash/nonce scheme).
> > >
> > > --
> > > Joe Richards
> > > www.joeware.net
> > >
> > > --
> > >
> > > "Herb Martin" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > > > Does Windows 2003 provide better logging than the event viewer?
I've
> > > > > enabled success and failure for logins but it doesn't provide me
with
> > > > useful
> > > > > information (what the attempted password was, IP address if any --
for
> > > > > remote logon, etc.). Even the successful login info is
dissapointing
> > to
> > > > me
> > > > > since it doesn't provide any info about the computer used to
logon.
> > > >
> > > > No.
> > > >
> > > > I am considering writing something to associate Snort
> > > > logs with Event logs to get this info.
> > > >
> > > > MS designed the Logon auditing prior to "public networks"
> > > > and all IP so no provision for giving the IP address was included --
> > > > instead we get the Machine name, which of course as you note,
> > > > is only useful for local machines.
> > > >
> > > > IP address NEEDS to be added.
> > > >
> > > >
> > >
> > >
> >
> >
>
>

IP address is in W2K3. Our security and auditing systems were designed to
be protocol-independent; IP address doesn't make much sense on NetBEUI or
IPX/SPX networks.

Eric

--
Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation

The above message is provided "AS-IS" with no warranties, and confers no
rights.

"Greg" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm seeing it now as well too (just did a clean install of it). Not sure
> why it wasn't showing it before.
>
> "Joe Richards [MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I just fired up my 2k3 laptop and slammed it with some bad hits and it
is
> logging ip addresses. It is listed in the 529
> > events under Source Network Address.
> >
> > Also it records IP's from successful logons as well.
> >
> > --
> > Joe Richards
> > www.joeware.net
> >
> > --
> >
> > "Greg" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > > IP logging doesn't appear to be in Windows 2003 since that's what I'm
> > > running and I'm not seeing an IP address in the event logs.
> > >
> > > "Joe Richards [MVP]" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > IP address was supposed to be added in W2K3... I haven't looked, are
> you
> > > saying you have looked and it isn't there?
> > > > Password that was used is definitely not there and I would kick MS's
> ass
> > > if they even thought of doing that. That would
> > > > be a horrible security issue even if it were feasible (passwords
> aren't
> > > generally passed in clear text, it is usually a
> > > > hash/nonce scheme).
> > > >
> > > > --
> > > > Joe Richards
> > > > www.joeware.net
> > > >
> > > > --
> > > >
> > > > "Herb Martin" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > > > Does Windows 2003 provide better logging than the event viewer?
> I've
> > > > > > enabled success and failure for logins but it doesn't provide me
> with
> > > > > useful
> > > > > > information (what the attempted password was, IP address if
any --
> for
> > > > > > remote logon, etc.). Even the successful login info is
> dissapointing
> > > to
> > > > > me
> > > > > > since it doesn't provide any info about the computer used to
> logon.
> > > > >
> > > > > No.
> > > > >
> > > > > I am considering writing something to associate Snort
> > > > > logs with Event logs to get this info.
> > > > >
> > > > > MS designed the Logon auditing prior to "public networks"
> > > > > and all IP so no provision for giving the IP address was
included --
> > > > > instead we get the Machine name, which of course as you note,
> > > > > is only useful for local machines.
> > > > >
> > > > > IP address NEEDS to be added.
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

In article <#YS#(E-Mail Removed)>,
(E-Mail Removed) says...
> IP address is in W2K3. Our security and auditing systems were designed to
> be protocol-independent
>

....which was a good strategy until the late '90s when they also became
"reality-independent".

Would have been nice if MS had made a W2K add-in that would log IP
address like Server W2K3. But I expect I'm MUCH HAPPIER they spent
their resources giving us WMP 9 instead!