Can anyone explain this event log?

F

Fletch Bowling

Hello,

I am trying to audit computer use in one of our small libraries. By
reading the net I found out I can enable logging via local policy
which I have done. Right now I am just trying to count the number of
log on's (to justify funding). To make a long story short I have been
piecing it all together via the ms vbscript (eventquery) and sending
that to excell . Well I soon learned that event 528 is more than just
user login's ,,its also loggin something called AUTHORITY\NETWORK
SERVICE. No problem, I figured out how to filter that out with
eventquery. I have been letting the logging run for a few days at a
hosipital on one machine as a test basis. I check the logs today and
look what I got:

Notice the user in part is listed as
S-1-5-21-1840077180-1519677995-3089533590-1006

But further down it's listed as Patron (what it should be)

Any ideas what this could be? It's only shown up a couple of times but
i need to know what it is.

Thanks, regards,
Fletch




Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 11/16/2004
Time: 1:03:55 PM
User: S-1-5-21-1840077180-1519677995-3089533590-1006
Computer: PCK1
Description:
Successful Logon:
User Name: Patron
Domain: PCK1
Logon ID: (0x0,0x91729EF)
Logon Type: 2
Logon Process: NWGINA
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: PCK1
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
D

Dave Patrick

You'll find those SID's listed at;
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Hello,
|
| I am trying to audit computer use in one of our small libraries. By
| reading the net I found out I can enable logging via local policy
| which I have done. Right now I am just trying to count the number of
| log on's (to justify funding). To make a long story short I have been
| piecing it all together via the ms vbscript (eventquery) and sending
| that to excell . Well I soon learned that event 528 is more than just
| user login's ,,its also loggin something called AUTHORITY\NETWORK
| SERVICE. No problem, I figured out how to filter that out with
| eventquery. I have been letting the logging run for a few days at a
| hosipital on one machine as a test basis. I check the logs today and
| look what I got:
|
| Notice the user in part is listed as
| S-1-5-21-1840077180-1519677995-3089533590-1006
|
| But further down it's listed as Patron (what it should be)
|
| Any ideas what this could be? It's only shown up a couple of times but
| i need to know what it is.
|
| Thanks, regards,
| Fletch
|
|
|
|
| Event Type: Success Audit
| Event Source: Security
| Event Category: Logon/Logoff
| Event ID: 528
| Date: 11/16/2004
| Time: 1:03:55 PM
| User: S-1-5-21-1840077180-1519677995-3089533590-1006
| Computer: PCK1
| Description:
| Successful Logon:
| User Name: Patron
| Domain: PCK1
| Logon ID: (0x0,0x91729EF)
| Logon Type: 2
| Logon Process: NWGINA
| Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
| Workstation Name: PCK1
| Logon GUID: {00000000-0000-0000-0000-000000000000}
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
 
F

Fletch Bowling

Dave,

Ok that got me close but it's not showing up in that location. I did
find it here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group
Policy\S-1-5-21-1840077180-1519677995-3089533590-1006




It has something to do with group policy but I am not sure what.

Any ideas on how to find out what this is? If it's not an actually
user, I am going to have to filter it out.

Thanks again,
Fletch
 
D

Dave Patrick

OK, now I'm not sure of the question anymore. NT AUTHORITY\NetworkService is
an operating system service account used to start several system services.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Dave,
|
| Ok that got me close but it's not showing up in that location. I did
| find it here:
|
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group
| Policy\S-1-5-21-1840077180-1519677995-3089533590-1006
|
|
|
|
| It has something to do with group policy but I am not sure what.
|
| Any ideas on how to find out what this is? If it's not an actually
| user, I am going to have to filter it out.
|
| Thanks again,
| Fletch
 
F

Fletch Bowling

Dave,
Ok I know NT authority is machine account and I am already filtering
that out.
I am unsure what this is:
"
User: S-1-5-21-1840077180-1519677995-3089533590-1006
Computer: PCK1
Description:
Successful Logon:
User Name: Patron

"

Under user it gives the S-1-5etc, but then user name says patron.

Patron is default name we use to log into the machine. We are
migrating from novell to MS/and samba . Right now a user authenticates
to netware, then just uses patron to log into windows.

If this S-1-5etc is just another machine account, I will just filter
it out to keep my statistics accurate. But it has patron as the user
name and thats confusing me.

Thanks,
Fletch
 
D

Dave Patrick

Logon Type: 2 is an interactive A user logged on to this computer.

Logon Process: NWGINA appears to be a netware process.

Hope this helps.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Dave,
| Ok I know NT authority is machine account and I am already filtering
| that out.
| I am unsure what this is:
| "
| User: S-1-5-21-1840077180-1519677995-3089533590-1006
| Computer: PCK1
| Description:
| Successful Logon:
| User Name: Patron
|
| "
|
| Under user it gives the S-1-5etc, but then user name says patron.
|
| Patron is default name we use to log into the machine. We are
| migrating from novell to MS/and samba . Right now a user authenticates
| to netware, then just uses patron to log into windows.
|
| If this S-1-5etc is just another machine account, I will just filter
| it out to keep my statistics accurate. But it has patron as the user
| name and thats confusing me.
|
| Thanks,
| Fletch
 
D

Dave Patrick

You're welcome.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Thanks yes it does. I suspect when novell is gone so will that event.
|
| Regards,
| Fletch
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event Viewer "Failure Audit" 6
User Logon Errors In Event Logs 3
Account Logon in Event Viewer... 1
Anonymous logons in event viewer question..... 6
Event Logs and Logon Type 3
Failure Audits in Event log question 1
Event id 529 3
Slow logon XP Event IDs 15 1807 32077 0 1517 1053 1003 8035 8021 1 0

Top