Full Disclosure mailing list archives
Re: Windows 2000 Logout events are not monitored!
From: "Bill Royds" <full-disclosure () royds net>
Date: Tue, 11 Nov 2003 13:13:49 -0500
Yes, it is event number 538, 540 is logon. Sorry. This was on a Win2k pro machine. ----- Original Message ----- From: "Darren Bennett" <DARREN.L.BENNETT () saic com> To: "Bill Royds" <full-disclosure () royds net> Cc: "Full Disclosure" <full-disclosure () lists netsys com> Sent: Tuesday, November 11, 2003 11:36 AM Subject: Re: [Full-disclosure] Windows 2000 Logout events are not monitored! : Bill, : : In windows 2k pro it is even 538. Are you talking about win 2k server : only? In either case, logout events in win2k pro are broken. If anyone : has a fix, I'd be happy to hear about it. : : -Darren : : On Mon, 2003-11-10 at 16:44, Bill Royds wrote: : > The logout even is event number 540 in security log. All the Win2K I manage : > have these entries for every logout. Check your security policy to ensure : > that you are recording them. : > There are in Local Security Policy MMS under Local Policies/Audit : > Events/{Audit account logon events,Audit logon events}. YOu want both : > success and failure to caputre a successful logoff. : > : > ----- Original Message ----- : > From: "Darren Bennett" <DARREN.L.BENNETT () saic com> : > To: "Full Disclosure" <full-disclosure () lists netsys com> : > Sent: Monday, November 10, 2003 12:42 PM : > Subject: [Full-disclosure] Windows 2000 Logout events are not monitored! : > : > : > : It's possible this has been on the list before but I'm going to check : > : anyway. With windows 2000 (server is the platform I have tested), when : > : auditing of login/logout events is enabled, only login events are : > : recorded. This appears to be a bug with Windows. I have tried applying a : > : patch from Microsoft that is supposed to fix this and the patch didn't : > : work. Anyone else seen this behavior? Any suggestions on how I could : > : record logout events without relying on MS? : > : : > : -Thanks, : > : : > : Darren : > : : > : : > : ----------------------------------------------- : > : Darren Bennett - CISSP : > : Sr. Systems Administrator/Manager : > : Science Applications International Corporation : > : Advanced Systems Development and Integration : > : ----------------------------------------------- : > : : > : _______________________________________________ : > : Full-Disclosure - We believe in it. : > : Charter: http://lists.netsys.com/full-disclosure-charter.html : -- : ----------------------------------------------- : Darren Bennett - CISSP : Sr. Systems Administrator/Manager : Science Applications International Corporation : Advanced Systems Development and Integration : ----------------------------------------------- : _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Windows 2000 Logout events are not monitored! Darren Bennett (Nov 10)
- Re: Windows 2000 Logout events are not monitored! Bill Royds (Nov 10)
- Re: Windows 2000 Logout events are not monitored! Darren Bennett (Nov 11)
- Re: Windows 2000 Logout events are not monitored! Bill Royds (Nov 11)
- Re: Windows 2000 Logout events are not monitored! Darren Bennett (Nov 11)
- Re: Windows 2000 Logout events are not monitored! Bill Royds (Nov 10)