Can anyone explain this event log?

  • Thread starter Thread starter Fletch Bowling
  • Start date Start date
F

Fletch Bowling

Hello,

I am trying to audit computer use in one of our small libraries. By
reading the net I found out I can enable logging via local policy
which I have done. Right now I am just trying to count the number of
log on's (to justify funding). To make a long story short I have been
piecing it all together via the ms vbscript (eventquery) and sending
that to excell . Well I soon learned that event 528 is more than just
user login's ,,its also loggin something called AUTHORITY\NETWORK
SERVICE. No problem, I figured out how to filter that out with
eventquery. I have been letting the logging run for a few days at a
hosipital on one machine as a test basis. I check the logs today and
look what I got:

Notice the user in part is listed as
S-1-5-21-1840077180-1519677995-3089533590-1006

But further down it's listed as Patron (what it should be)

Any ideas what this could be? It's only shown up a couple of times but
i need to know what it is.

Thanks, regards,
Fletch




Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 11/16/2004
Time: 1:03:55 PM
User: S-1-5-21-1840077180-1519677995-3089533590-1006
Computer: PCK1
Description:
Successful Logon:
User Name: Patron
Domain: PCK1
Logon ID: (0x0,0x91729EF)
Logon Type: 2
Logon Process: NWGINA
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: PCK1
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
You'll find those SID's listed at;
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Hello,
|
| I am trying to audit computer use in one of our small libraries. By
| reading the net I found out I can enable logging via local policy
| which I have done. Right now I am just trying to count the number of
| log on's (to justify funding). To make a long story short I have been
| piecing it all together via the ms vbscript (eventquery) and sending
| that to excell . Well I soon learned that event 528 is more than just
| user login's ,,its also loggin something called AUTHORITY\NETWORK
| SERVICE. No problem, I figured out how to filter that out with
| eventquery. I have been letting the logging run for a few days at a
| hosipital on one machine as a test basis. I check the logs today and
| look what I got:
|
| Notice the user in part is listed as
| S-1-5-21-1840077180-1519677995-3089533590-1006
|
| But further down it's listed as Patron (what it should be)
|
| Any ideas what this could be? It's only shown up a couple of times but
| i need to know what it is.
|
| Thanks, regards,
| Fletch
|
|
|
|
| Event Type: Success Audit
| Event Source: Security
| Event Category: Logon/Logoff
| Event ID: 528
| Date: 11/16/2004
| Time: 1:03:55 PM
| User: S-1-5-21-1840077180-1519677995-3089533590-1006
| Computer: PCK1
| Description:
| Successful Logon:
| User Name: Patron
| Domain: PCK1
| Logon ID: (0x0,0x91729EF)
| Logon Type: 2
| Logon Process: NWGINA
| Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
| Workstation Name: PCK1
| Logon GUID: {00000000-0000-0000-0000-000000000000}
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
 
Dave,

Ok that got me close but it's not showing up in that location. I did
find it here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group
Policy\S-1-5-21-1840077180-1519677995-3089533590-1006




It has something to do with group policy but I am not sure what.

Any ideas on how to find out what this is? If it's not an actually
user, I am going to have to filter it out.

Thanks again,
Fletch
 
OK, now I'm not sure of the question anymore. NT AUTHORITY\NetworkService is
an operating system service account used to start several system services.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Dave,
|
| Ok that got me close but it's not showing up in that location. I did
| find it here:
|
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group
| Policy\S-1-5-21-1840077180-1519677995-3089533590-1006
|
|
|
|
| It has something to do with group policy but I am not sure what.
|
| Any ideas on how to find out what this is? If it's not an actually
| user, I am going to have to filter it out.
|
| Thanks again,
| Fletch
 
Dave,
Ok I know NT authority is machine account and I am already filtering
that out.
I am unsure what this is:
"
User: S-1-5-21-1840077180-1519677995-3089533590-1006
Computer: PCK1
Description:
Successful Logon:
User Name: Patron

"

Under user it gives the S-1-5etc, but then user name says patron.

Patron is default name we use to log into the machine. We are
migrating from novell to MS/and samba . Right now a user authenticates
to netware, then just uses patron to log into windows.

If this S-1-5etc is just another machine account, I will just filter
it out to keep my statistics accurate. But it has patron as the user
name and thats confusing me.

Thanks,
Fletch
 
Logon Type: 2 is an interactive A user logged on to this computer.

Logon Process: NWGINA appears to be a netware process.

Hope this helps.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Dave,
| Ok I know NT authority is machine account and I am already filtering
| that out.
| I am unsure what this is:
| "
| User: S-1-5-21-1840077180-1519677995-3089533590-1006
| Computer: PCK1
| Description:
| Successful Logon:
| User Name: Patron
|
| "
|
| Under user it gives the S-1-5etc, but then user name says patron.
|
| Patron is default name we use to log into the machine. We are
| migrating from novell to MS/and samba . Right now a user authenticates
| to netware, then just uses patron to log into windows.
|
| If this S-1-5etc is just another machine account, I will just filter
| it out to keep my statistics accurate. But it has patron as the user
| name and thats confusing me.
|
| Thanks,
| Fletch
 
You're welcome.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Thanks yes it does. I suspect when novell is gone so will that event.
|
| Regards,
| Fletch
 
Back
Top