Analysis Security Events - XP - Remote Users/Last Log in Time

(imported topic written by SystemAdmin)

Would like to pull the list of users that have logged into XP systems remotely and the last time they have done so.

Trying to pull:

Event ID: 528 (Successful login)

AND

Type: Success

AND

Logon Type: 10 (Remote)

FROM

the “security event log”

Then would like the one result per remote username, and the last time, and last Source Network Address.

Which relevance genious can solve this problem?

(imported comment written by NoahSalzman)

Dealing with the security event log can be tricky at times (for example,

see here

or

here

). To start down the path, what does this query return for you:

q: number of records whose (event id of it = 528) of security event log

If you actually get something back other than 0, then what does this return:

q: description of records whose (event id of it = 528 AND time written of it > now - (1*day)) of security event log

The time constraint is only there to limit the number of returned values.

Noah

(imported comment written by SystemAdmin)

q: number of records whose (event id of it = 528) of security event log

A: 7583

T: 83927.770 ms

I: singular integer

q: description of records whose (event id of it = 528 AND time written of it > now - (1*day)) of security event log

A: Successful Logon:%0d%0a %09User Name:%09NETWORK SERVICE%0d%0a %09Domain:%09%09NT AUTHORITY%0d%0a %09Logon ID:%09%09(0x0,0x3E4)%0d%0a %09Logon Type:%095%0d%0a %09Logon Process:%09Advapi %0d%0a %09Authentication Package:%09Negotiate%0d%0a %09Workstation Name:%09%0d%0a %09Logon GUID:%09-

E: Singular expression refers to non-unique object.

(imported comment written by SystemAdmin)

I filtered down to show you the results of a real user:

descriptions whose (it as string contains “myusername”) of records whose ((event id of it = 528 AND time written of it > now - (1*day))) of security event log

A: Successful Logon:%0d%0a %09User Name:%09myusername%0d%0a %09Domain:%09%09LOGONNET%0d%0a %09Logon ID:%09%09(0x0,0x60EEC)%0d%0a %09Logon Type:%0911%0d%0a %09Logon Process:%09User32 %0d%0a %09Authentication Package:%09Negotiate%0d%0a %09Workstation Name:%0Myworkstation%0d%0a %09Logon GUID:%09-

(imported comment written by BenKus)

Try this:

q: (item 0 of it & " – " & item 1 of it) of (parenthesized parts of (matches (regex “User Name:\s(\w+)”) of it), parenthesized parts of (matches (regex “Logon Type:\s(\w+)”) of it)) whose (item 1 of it as integer = 10) of descriptions of records whose (event id of it = 528 ) of security event log
A: INFINITEMONKEYS – 10
A: Administrator – 10

Warning!

This relevance that queries the event log is very slow and puts a lot of load on the agent computer… You should be careful about putting this in any Fixlet or property (if it is in a property, you should only evaluate it once a day or less)…

Ben

(imported comment written by SystemAdmin)

getting real warm: below are the results… now how to get unique values and last logon time for each?

A: administrator – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: usermboseck – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

A: HelpAssistant – 10

(imported comment written by BenKus)

Getting the latest time is pretty tricky… but here is a way to get the unique values of logins in the last week:

q: unique values of (item 0 of it) of (parenthesized parts of (matches (regex “User Name:\s(\w+)”) of it), parenthesized parts of (matches (regex “Logon Type:\s(\w+)”) of it)) whose (item 1 of it as integer = 10) of descriptions of records whose (event id of it = 528 AND time generated of it > now - 7*day) of security event log

Ben

(imported comment written by SystemAdmin)

Recieved below:

q: unique values of (item 0 of it) of (parenthesized parts of (matches (regex “User Name:\s(\w+)”) of it), parenthesized parts of (matches (regex “Logon Type:\s(\w+)”) of it)) whose (item 1 of it as integer = 10) of descriptions of records whose (event id of it = 528 AND time generated of it > now - 7*day) of security event log

T: 42704.351 ms

I: plural string with multiplicity

This worked:

q: unique values of ((item 0 of it) of (parenthesized parts of (matches (regex “User Name:\s(\w+)”) of it), parenthesized parts of (matches (regex “Logon Type:\s(\w+)”) of it)) whose (item 1 of it as integer = 10) of descriptions of records whose (event id of it = 528 ) of security event log )

A: HelpAssistant

A: myuser

A: myuser2

T: 50329.461 ms

I: plural string with multiplicity

(imported comment written by SystemAdmin)

any idea on how to take the above list, then search for most recent ?

(imported comment written by NoahSalzman)

Where is this output going to be read? Were you going to put it in Web Reports, an Analysis, SOAP API? I ask as Relevance is not a good place to do sorting… it would be much easier to do that at a higher layer.

(imported comment written by SystemAdmin)

we would like the output as an analysis to determine which system has had remote users, the names of the remote users and the last time that each remote user logged in.

so from the relevance above, we can pull a list of each remote user, the next piece is to take the results of each user and find the most recent connection by date and display the name , date.

(imported comment written by jeko1791)

I am trying to use a variation of the above relevance, to return the last week’s worth of failed login attempts and the offending account in the DOMAIN\USERNAME format. However, when I run this, I’m getting different combinations of Domain\User Name (4 answers when there is only 1 event) because there are multiple lines in the event description data that include “Domain:” and “User Name:”.

q: (time generated of it, ((item 1 of it & “” & item 0 of it) of (parenthesized parts of (matches (regex “User Name:\s(\w+)”) of description of it), parenthesized parts of (matches (regex "Domain:\s+(

A-Za-z0-9-

+)") of description of it)))) of records whose (event id of it = 529 AND time generated of it >(now-7*day)) of security event log

A: ( Wed, 26 Aug 2009 19:31:26 -0500 ), HOSTNAME\jeko17

A: ( Wed, 26 Aug 2009 19:31:26 -0500 ), DOMAINNAME\jeko17

A: ( Wed, 26 Aug 2009 19:31:26 -0500 ), HOSTNAME\HOSTNAME

A: ( Wed, 26 Aug 2009 19:31:26 -0500 ), DOMAINNAME\HOSTNAME

This returns one line, but does not give me the detail on the user attempting login:

q: (time generated of it, user sid of it) of records whose (event id of it = 529 AND time generated of it >(now-7*day)) of security event log

A: ( Wed, 26 Aug 2009 19:31:26 -0500 ), NT AUTHORITY\SYSTEM

I’m pretty sure this is something in my regex that needs to limit the line in the Description that is returned, but I’m not sure what that regex would look like.

Any ideas?

Thx.

(imported comment written by BenKus)

Try “first matches”:

q: (time generated of it, ((item 1 of it & “” & item 0 of it) of (parenthesized parts of (first matches (regex “User Name:\s(\w+)”) of description of it), parenthesized parts of (matches (regex “Domain:\s+(A-Za-z0-9-+)”) of description of it)))) of records whose (event id of it = 529 AND time generated of it >(now-7*day)) of security event log

Ben

(imported comment written by SystemAdmin)

Ben that works… it lists all log ins… how do I parse out just the last one in the list

A: ( Fri, 28 Aug 2009 11:23:19 -0400 ), domain\user_test

A: ( Fri, 28 Aug 2009 15:22:00 -0400 ), domain\user_test

A: ( Sat, 29 Aug 2009 18:55:01 -0400 ), domain\user_test

A: ( Mon, 31 Aug 2009 08:32:02 -0400 ), domain\user_test <-------- this is the one we want to show up in an analysis…

(imported comment written by jeko1791)

Great, that worked perfectly Ben. Now, since I cannot run these relevance clauses during the day (due to system load), I’ve added them to a Task that writes data to a .txt file during specific hours at night, then a Property will return the data from different sections of the .txt file. How would I format this output so it creates one entry per line in the text file? This is what our Action Script looks like. I’ve tried “concatenation” and “substrings separated by” but am getting errors on each. Any ideas here?

delete {pathname of parent folder of client}\logmon.log

delete __createfile

createfile until __EOF

529

{(time written of it,(item 1 of it & “” & item 0 of it) of (parenthesized parts of (first matches (regex “User Name:\s(\w+)”) of description of it), parenthesized parts of (first matches (regex "Domain:\s+(

A-Za-z0-9-

+)") of description of it))) of records whose (time written of it > now - 1*day AND event id of it = 529) of security event log }

530

{(time written of it,(item 1 of it & “” & item 0 of it) of (parenthesized parts of (first matches (regex “User Name:\s(\w+)”) of description of it), parenthesized parts of (first matches (regex "Domain:\s+(

A-Za-z0-9-

+)") of description of it))) of records whose (time written of it > now - 1*day AND event id of it = 530) of security event log }

__EOF

copy __createfile “{pathname of (parent folder of client)}\logmon.log”

(imported comment written by BenKus)

Try adding:

concatenation “%0d%0a” of (it as string) of …

to the front of your relevance clauses to make newlines…

Ben

(imported comment written by jeko1791)

You had me at “(it as string)”. I had tried the concatenation but I knew I was missing something.

Thanks Ben