This is a little better since it gives you logon types.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt
echnol/windowsserver2003/proddocs/standard/518.asp

Or http://tinyurl.com/p4ve

There is quite a lot of info out there on failed logons. What I would
like to know is when someone locks their machine. That doesn't seem to
trigger anything in the event logs. But I don't want to audit every
object access. Any ideas?

Drew

-----Original Message-----
From: Sean Warnock [mailto:***@warnocksolutions.com]
Sent: Saturday, October 25, 2003 7:59 AM
To: FOCUS-***@SECURITYFOCUS.COM
Subject: Event Log messages for failed logon attempts


I am currently working on a small script that will parse the
event logs of a Windows NT/2000/2003 domain controller looking for
failed logon attempts. I am currently aware of event log message 529. I
believe that I have been able to generate several other error messages
for failed logon attempts depending upon what a client is using to
authenticate with (ex. Kerberos, NTLM, etc...). Does anyone have any
other input or articles that they would suggest as the only KB article
that I have found so far was 299475.

Sean

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
---------------------------------------------------------------------------

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/518.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bestprac/bpent/sec3/monito.asp

These might help, I refer to them quite often.

It sounds like you're trying to write something like this:
http://pantheon.yale.edu/~kjh27/logger.html

The author may be willing to distribute it beyond other EDUs if you ask.

Brad Judy

Information Technology Services
University of Colorado at Boulder
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
---------------------------------------------------------------------------

There is a tool in the 2003 resource kit tools called eventcombmt.exe.
Here is the description of the tool:

Event Comb (EventCombMT) is a GUI tool that searches event logs on
multiple DCs/Servers and collects EventID records matching the specified
criteria.

The 2003 resource kit tools can be found here:
http://www.microsoft.com/windowsserver2003/techinfo/reskit/resourcekit.m
spx

It has worked well for me.

Dan


-----Original Message-----
From: Brad Judy [mailto:***@colorado.edu]
Sent: Tuesday, November 04, 2003 12:12 PM
To: 'Sean Warnock'; FOCUS-***@securityfocus.com
Subject: RE: Event Log messages for failed logon attempts


It sounds like you're trying to write something like this:
http://pantheon.yale.edu/~kjh27/logger.html

The author may be willing to distribute it beyond other EDUs if you ask.


Brad Judy

Information Technology Services
University of Colorado at Boulder
------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
---------------------------------------------------------------------------

Athought it's also in the RK, Eventcomb is part of the Account Lockout
and Management Tools package that has some additional tools and
extension dll's that are quite useful and not in the RK.

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4
E63-8629-B999ADDE0B9E&displaylang=en
Account Passwords and Policies whitepaper has over 30 Logon Event Ids
described and also shows how to utilize netlogon trace files if you want
to dig deeper.[Analyzing Log File Information section]

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt
echnol/windowsserver2003/maintain/operate/BPACTLCK.asp

hth

Bob Free
Sr Network Specialist
PG&E Co






---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
---------------------------------------------------------------------------