View previous topic :: View next topic |
Author |
Message |
paulnus
Joined: 29 Aug 2011 Posts: 17
|
Posted: Thu Jan 21, 2021 10:48 am Post subject: NTEventUser - Domain Admin Login Help |
|
|
Hello,
My goal is to alert when a domain admin logs into a device on our network. We have the proper auditing turned on for our Windows servers and I am putting Event Log tests on all our domain controllers.
My test properly picks up the event I am looking for (4624) and it does properly bring back when the description contains one of my domain admin usernames using "Account Name: xxxxxx".
I am using the Slack notification to send to the channel but the text when going to slack removes the CRLF and the NTEventUser is showing up blank.
My alert
Code: | ############################################
:face_vomiting: :rotating_light: [%hostaddr%] :face_vomiting: :rotating_light:
############################################
%TestName%
Event Source: %NTEventSource%
Event Time: %NTEventTime%
Event Name: %NTEventTypeName%
Event User: %NTEventUser%
Method: %TestMethod%
Date: %DateTime%
Status: %Status%
Recurr: %Recurrences%
Agent: %Agent%
Path: %FullPath%
############################################ |
Results:
Code: | ############################################
:face_vomiting: :rotating_light: [localhost] :face_vomiting: :rotating_light:
############################################
SRVXXX1 - [10.0.0.1] - [NT Events log] - [DA Logon - 4624]
Event Source: Microsoft-Windows-Security-Auditing
Event Time: 1/21/2021 9:01:32 AM
Event Number: 8
Event Name: Success audit
Event User: -
Method: check NT Event Log
Date: 1/21/2021 3:01:43 PM
Status: Bad
Recurr: 1
Agent: SRVXXX1
Path: Root\COMPANY\Servers\Virtual\SRVXXX1\
############################################ |
Here is part of the 4624 event log:
Code: | 2021-01-21 14:34:22 Local7.Debug 10.224.8.11 2021-01-21 08:34:21 SRVXXX1 AUDIT_SUCCESS 4624 An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: SRVXXX1$
Account Domain: COMPANY
Logon ID: 0x333
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2222222222-2222222222-1935222222222213326-2222
Account Name: myusername
Account Domain: COMPANY
Logon ID: 0x22222222222
Linked Logon ID: 0x22222222222
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
|
My question would be as it relates to the %NTEventUser% variable if it's pullilng the "Account Name" or what piece of information it key's off of during this process? Am i looking at the wrong log or a log where that will not work?
If there is another way in achieving this where i can simply return the user account that was trying to login, I am all ears. I was trying to potentially alter the Reply results with just the Account Name but figured after some reading that I couldn't do that based on how that was intended to work. |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Thu Jan 21, 2021 11:55 am Post subject: |
|
|
Windows version on HostMonitor and remote system?
HostMonitor version?
I think %NTEventUser% is empty because there is no such data in the event record. Does Windows Event Viewer shows "User: N/A" for this event?
While "Account Name: myusername" is part of event text, %NTEventText% can be used to retrieve event message.
Regards
Alex |
|
Back to top |
|
|
paulnus
Joined: 29 Aug 2011 Posts: 17
|
Posted: Thu Jan 21, 2021 12:11 pm Post subject: |
|
|
I was worried that "Account Name" would not be the key field it would be looking for. The "User: N/A" is not part of the returned event results.
Windows on HM: Microsoft Windows Server 2019 Datacenter
HM Version: v12.56
Windows on DC: Microsoft Windows Server 2019 Standard
RMA Version: v7.31
I was going down the road of using "Tune up Reply" to getword but i really need the getword to accept 3 arguments (%NTEventText%, "Account:", 1) --> The first word after "Account:" in the %NTEventText%. I realize now, that getword doesn't actually work that way. |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Thu Jan 21, 2021 12:50 pm Post subject: |
|
|
Quote: | I was worried that "Account Name" would not be the key field it would be looking for. The "User: N/A" is not part of the returned event results. |
Sorry, I do not understand what do you mean
What means Key field? HostMonitor checks events using filter you set for the test, like event ID, event type, some text string(s).
If you set filter using "Description contains any string from the list: Account Name" then HostMonitor will check for "Account Name" string within event text.
This does not mean HostMonitor will show you just account name, this means HostMonitor will detect such event as "bad" and trigger status change and start actions assigned to the test.
While "User: N/A" related to parameter of the event. Its not part of event text, its special event field.
Your complain regarding %NTEventUser% is showing up blank, that's why I ask to check event parameters. Probably HostMonitor works correctly, there is no UserID specified for this event.
Quote: | i really need the getword to accept 3 arguments (%NTEventText%, "Account:", 1) --> The first word after "Account:" in the %NTEventText% |
There is no such option.
May be we can add "GetLineWithText" operator - find line with specific text and return entire line.
So you will be able to use some expression like
"%NTEventText%" GetLineWithText "Account Name:" getword 3
Regards
Alex |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Thu Jan 21, 2021 1:08 pm Post subject: |
|
|
On the other hand HostMonitor offers indexof and substr functions.
If you need 1 word after "Account Name:", you may use "TuneUp Reply value" option with expression like
[substr("%NTEventText%", indexof("%NTEventText%","Account Name:"), 100) getword 3]
Then just use %Reply% as parameter of the action
Regards
Alex |
|
Back to top |
|
|
paulnus
Joined: 29 Aug 2011 Posts: 17
|
Posted: Thu Jan 21, 2021 1:12 pm Post subject: |
|
|
No problem, I was explaining it dumb.
What i was saying was that I was thinking the %NTEventUser% was something special that would be trying to extract usernames. I'm not in the logs enough to know that "User:" is a common field.
Great, i'll try to just return the line. That will suit my needs great. |
|
Back to top |
|
|
paulnus
Joined: 29 Aug 2011 Posts: 17
|
Posted: Thu Jan 21, 2021 1:42 pm Post subject: |
|
|
Worked!
I had to use "New Logon:" since the "Account Name:" appeared multiple times and grabbed the first one which is not what i wanted.
Code: | [substr("%NTEventText%", indexof("%NTEventText%","New Logon:"), 100) getword 8] |
|
|
Back to top |
|
|
|