Security

Find Client PC Interactive Logon from Domain Controller Logs

sfefcu
Path Finder

I am looking to get desktop (domain user) interactive and RDP logons from Domain Controller logs. I don't know if this is possible. I have looked up and down splunk>answers and found similar questions answered, but none definitively answer my question in particular. So when a domain user logs on to a desktop PC anywhere in the domain, I want that to show up on my search.

So far I am searching for (EventCode=528 OR EventCode=540 OR EventCode=552 OR EventCode=4624 OR EventCode=4648). Really only 4624 gets results, and the only results I am seeing are for Logon Type 3 which correspond to mapped network drives and printers, etc. Not the stuff I'm interesting in. I'm interested in Logon Type 2, 7, and 10 mostly. The list of Logon Types can be found at https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

If I look at the Event Viewer on a client PC, I do see Event Code 4624 with the Logon Types I want (3, 7, 10), but these don't appear on domain controller logs. Am I missing something? I'm trying to avoid installing the UF and TA on each workstation as it would likely make me go over my license. Is there a way for me to tell if a user performed an interactive/remote logon or unlock from my domain controller logs?

Thanks for your help.

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

I can provide more details when I can get hooked back up into work, but we solved the login tracking problem best by ...

1) Setting a GPO to ensure all workstations log their own logins.
2) Installed the UF on each workstation, but ONLY have them send in only Security Event Logs that match the event codes we wanted (literally fewer than a dozen lines per day per workstation - unnoticeable amounts of data).
3) Using those in conjunction with the DC's logs to determine all this.

When #1 is set, I believe that made the workstation itself log both local logins (which the DCs won't notice nor care about anyway, but which are a big potential security issue!) and also log the login for the domain as well. It took a little googling and testing to get it to do just what we wanted, but in the end it worked out well.

If you do #2 you'll want to install/enable/set up the Deployment Server to control the configs they're getting, if you haven't done so already.

For #3 I'm not sure we even needed the logs off the DCs for this, though they were obviously useful for other things.

Also, as a note for RDP and whatnot - If you look in the logs from around the areas in Event Viewer like:

Event Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-LocalSessionManager\Operational
Event Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-RemoteConnectionManager\Operational

(And there's a couple more in there) you'll find that's got a very nice, easily parsed and simple list of who remotely connected. when, from where and for how long. Far easier than all the other methods of trying to properly dig that out of the 4624 events. Look around in there and I think you'll figure out which events you want to pull into Splunk.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

I can provide more details when I can get hooked back up into work, but we solved the login tracking problem best by ...

1) Setting a GPO to ensure all workstations log their own logins.
2) Installed the UF on each workstation, but ONLY have them send in only Security Event Logs that match the event codes we wanted (literally fewer than a dozen lines per day per workstation - unnoticeable amounts of data).
3) Using those in conjunction with the DC's logs to determine all this.

When #1 is set, I believe that made the workstation itself log both local logins (which the DCs won't notice nor care about anyway, but which are a big potential security issue!) and also log the login for the domain as well. It took a little googling and testing to get it to do just what we wanted, but in the end it worked out well.

If you do #2 you'll want to install/enable/set up the Deployment Server to control the configs they're getting, if you haven't done so already.

For #3 I'm not sure we even needed the logs off the DCs for this, though they were obviously useful for other things.

Also, as a note for RDP and whatnot - If you look in the logs from around the areas in Event Viewer like:

Event Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-LocalSessionManager\Operational
Event Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-RemoteConnectionManager\Operational

(And there's a couple more in there) you'll find that's got a very nice, easily parsed and simple list of who remotely connected. when, from where and for how long. Far easier than all the other methods of trying to properly dig that out of the 4624 events. Look around in there and I think you'll figure out which events you want to pull into Splunk.

sfefcu
Path Finder

Thanks for the suggestion. I am installing the UF on all PC's and limiting collection to just the Event Codes that I need.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...