KS-Soft. Network Management Solutions
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister    ProfileProfile    Log inLog in 

NTEventUser - Domain Admin Login Help

 
Post new topic   Reply to topic    KS-Soft Forum Index -> Configuration, Maintenance, Troubleshooting
View previous topic :: View next topic  
Author Message
paulnus



Joined: 29 Aug 2011
Posts: 17

PostPosted: Thu Jan 21, 2021 10:48 am    Post subject: NTEventUser - Domain Admin Login Help Reply with quote

Hello,
My goal is to alert when a domain admin logs into a device on our network. We have the proper auditing turned on for our Windows servers and I am putting Event Log tests on all our domain controllers.

My test properly picks up the event I am looking for (4624) and it does properly bring back when the description contains one of my domain admin usernames using "Account Name: xxxxxx".

I am using the Slack notification to send to the channel but the text when going to slack removes the CRLF and the NTEventUser is showing up blank.

My alert
Code:
############################################
:face_vomiting: :rotating_light: [%hostaddr%] :face_vomiting: :rotating_light:
############################################
%TestName%
Event Source: %NTEventSource%
Event Time: %NTEventTime%
Event Name: %NTEventTypeName%
Event User:   %NTEventUser%
Method: %TestMethod%
Date: %DateTime%
Status: %Status%
Recurr: %Recurrences%
Agent: %Agent%
Path: %FullPath%
############################################


Results:
Code:
############################################
:face_vomiting: :rotating_light: [localhost] :face_vomiting: :rotating_light:
############################################
SRVXXX1 - [10.0.0.1] - [NT Events log] - [DA Logon - 4624]
Event Source: Microsoft-Windows-Security-Auditing
Event Time: 1/21/2021 9:01:32 AM
Event Number: 8
Event Name: Success audit
Event User: -
Method: check NT Event Log
Date: 1/21/2021 3:01:43 PM
Status: Bad
Recurr: 1
Agent: SRVXXX1
Path: Root\COMPANY\Servers\Virtual\SRVXXX1\
############################################


Here is part of the 4624 event log:
Code:
2021-01-21 14:34:22   Local7.Debug   10.224.8.11   2021-01-21 08:34:21 SRVXXX1 AUDIT_SUCCESS 4624 An account was successfully logged on.

Subject:
   Security ID:      S-1-5-18
   Account Name:      SRVXXX1$
   Account Domain:      COMPANY
   Logon ID:      0x333

Logon Information:
   Logon Type:      2
   Restricted Admin Mode:   -
   Virtual Account:      No
   Elevated Token:      No

Impersonation Level:      Impersonation

New Logon:
   Security ID:      S-1-5-21-2222222222-2222222222-1935222222222213326-2222
   Account Name:      myusername
   Account Domain:      COMPANY
   Logon ID:      0x22222222222
   Linked Logon ID:      0x22222222222
   Network Account Name:   -
   Network Account Domain:   -
   Logon GUID:      {00000000-0000-0000-0000-000000000000}


My question would be as it relates to the %NTEventUser% variable if it's pullilng the "Account Name" or what piece of information it key's off of during this process? Am i looking at the wrong log or a log where that will not work?


If there is another way in achieving this where i can simply return the user account that was trying to login, I am all ears. I was trying to potentially alter the Reply results with just the Account Name but figured after some reading that I couldn't do that based on how that was intended to work.
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12431
Location: USA

PostPosted: Thu Jan 21, 2021 11:55 am    Post subject: Reply with quote

Windows version on HostMonitor and remote system?
HostMonitor version?

I think %NTEventUser% is empty because there is no such data in the event record. Does Windows Event Viewer shows "User: N/A" for this event?
While "Account Name: myusername" is part of event text, %NTEventText% can be used to retrieve event message.

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
paulnus



Joined: 29 Aug 2011
Posts: 17

PostPosted: Thu Jan 21, 2021 12:11 pm    Post subject: Reply with quote

I was worried that "Account Name" would not be the key field it would be looking for. The "User: N/A" is not part of the returned event results.

Windows on HM: Microsoft Windows Server 2019 Datacenter
HM Version: v12.56

Windows on DC: Microsoft Windows Server 2019 Standard
RMA Version: v7.31

I was going down the road of using "Tune up Reply" to getword but i really need the getword to accept 3 arguments (%NTEventText%, "Account:", 1) --> The first word after "Account:" in the %NTEventText%. I realize now, that getword doesn't actually work that way.
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12431
Location: USA

PostPosted: Thu Jan 21, 2021 12:50 pm    Post subject: Reply with quote

Quote:
I was worried that "Account Name" would not be the key field it would be looking for. The "User: N/A" is not part of the returned event results.

Sorry, I do not understand what do you mean
What means Key field? HostMonitor checks events using filter you set for the test, like event ID, event type, some text string(s).
If you set filter using "Description contains any string from the list: Account Name" then HostMonitor will check for "Account Name" string within event text.
This does not mean HostMonitor will show you just account name, this means HostMonitor will detect such event as "bad" and trigger status change and start actions assigned to the test.

While "User: N/A" related to parameter of the event. Its not part of event text, its special event field.
Your complain regarding %NTEventUser% is showing up blank, that's why I ask to check event parameters. Probably HostMonitor works correctly, there is no UserID specified for this event.

Quote:
i really need the getword to accept 3 arguments (%NTEventText%, "Account:", 1) --> The first word after "Account:" in the %NTEventText%

There is no such option.
May be we can add "GetLineWithText" operator - find line with specific text and return entire line.
So you will be able to use some expression like
"%NTEventText%" GetLineWithText "Account Name:" getword 3

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
KS-Soft



Joined: 03 Apr 2002
Posts: 12431
Location: USA

PostPosted: Thu Jan 21, 2021 1:08 pm    Post subject: Reply with quote

On the other hand HostMonitor offers indexof and substr functions.
If you need 1 word after "Account Name:", you may use "TuneUp Reply value" option with expression like
[substr("%NTEventText%", indexof("%NTEventText%","Account Name:"), 100) getword 3]

Then just use %Reply% as parameter of the action

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
paulnus



Joined: 29 Aug 2011
Posts: 17

PostPosted: Thu Jan 21, 2021 1:12 pm    Post subject: Reply with quote

No problem, I was explaining it dumb.

What i was saying was that I was thinking the %NTEventUser% was something special that would be trying to extract usernames. I'm not in the logs enough to know that "User:" is a common field.

Great, i'll try to just return the line. That will suit my needs great.
Back to top
View user's profile Send private message
paulnus



Joined: 29 Aug 2011
Posts: 17

PostPosted: Thu Jan 21, 2021 1:42 pm    Post subject: Reply with quote

Worked!

I had to use "New Logon:" since the "Account Name:" appeared multiple times and grabbed the first one which is not what i wanted.

Code:
[substr("%NTEventText%", indexof("%NTEventText%","New Logon:"), 100) getword 8]
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    KS-Soft Forum Index -> Configuration, Maintenance, Troubleshooting All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

KS-Soft Forum Index