Which auditing settings should be enabled in order to see AD logged in user's ip address?
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
On any Domain Server, in the event log, you can find the information you ask for
Here is the extraction of a user login Event "4624" and logout Event "4634" you can make a relation betwen the events by the data named TargetLogonId. The IP adress is in data named IpAdress.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2011-05-26T11:09:52.930000000Z" />
<EventRecordID>33354</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="3244" />
<Channel>Security</Channel>
<Computer>WM2008R2ENT.dom.fr</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-314535540-1235592268-145203568-1000</Data>
<Data Name="TargetUserName">WM2008R2ENT2$</Data>
<Data Name="TargetDomainName">MOD</Data>
<Data Name="TargetLogonId">0x6ded7f</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">
</Data>
<Data Name="LogonGuid">{7B3D7A34-80A9-F1B2-CCF1-7F783ED88C28}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">192.168.183.101</Data>
<Data Name="IpPort">51243</Data>
</EventData>
</Event>
Here is the extraction of a user logout Event "4634"
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2011-05-26T11:10:03.070625000Z" />
<EventRecordID>33355</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="3244" />
<Channel>Security</Channel>
<Computer>WM2008R2ENT.dom.fr</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-314535540-1235592268-145203568-1000</Data>
<Data Name="TargetUserName">WM2008R2ENT2$</Data>
<Data Name="TargetDomainName">MOD</Data>
<Data Name="TargetLogonId">0x6ded7f</Data>
<Data Name="LogonType">3</Data>
</EventData>
</Event>
