Security Basics mailing list archives
Monitoring security event logs
From: g () 27 eclipse co uk
Date: 21 Jan 2007 19:27:12 -0000
Hi all, I am monitoring the logoff and logon event logs for some machines in my domain. I notice that for one single logon there are multiple successful logons, in the event log. Sometimes the logon process is either or both "advapi" and "user32" Does anyone know the difference between these? I try to pair the Logon ID's for each sesssion to calculate logon times, and I notice on some occasions that the logon/logoff ID is the same, but parts of it, have capitalisation. Does anyone know why? Also some logon ID's seem to not a logoff ID pair? (even though the user has logged off) Does anyone know why? Thanks in advance,
Current thread:
- Monitoring security event logs g (Jan 22)
- Re: Monitoring security event logs TheGesus (Jan 23)