Detecting PCs vs Username Detection
Hi again,
A customer that have Eventlog 4.0 ask for this issues, having this log:
--------------------------LOG 1------------------------------------------
Object Open: Object Server: Security Object Type: File Object Name:
D:Bancos New Handle ID: - Operation ID: {0,159599026} Process ID: 8
Primary User Name: MXCTZAP02$ Primary Domain: FOSFATOS Primary Logon ID:
(0x0,0x3E7) Client User Name: rherrera Client Domain: FOSFATOS Client
Logon ID: (0x0,0x96A7B07) Accesses ReadData (or ListDirectory) Privileges
-
--------------------------------------------------------------------
And the problem concerning this, if we look at the "Primary User Name:
MXCTZAP02$" the name contains "$", when we look at the "Client User Name:
rherrera" it doesnt have the $ symbol.
Some other cases occur like this:
-----------------------------LOG 2--------------------------------------
Object Open: Object Server: Security Object Type: File Object Name:
D:Bancos New Handle ID: - Operation ID: {0,159599026} Process ID: 8
Primary User Name: MXCTZAP02$ Primary Domain: FOSFATOS Primary Logon ID:
(0x0,0x3E7) Client User Name: rherrera$ Client Domain: FOSFATOS Client
Logon ID: (0x0,0x96A7B07) Accesses ReadData (or ListDirectory) Privileges
-
-------------------------------------------------------------------
With the "Client User Name: rherrera$" that refers a computer.
Some other cases occur like this:
--------------------------LOG 3------------------------------------------
Object Open: Object Server: Security Object Type: File Object Name:
D:Bancos New Handle ID: - Operation ID: {0,159599026} Process ID: 8
Primary User Name: MXCTZAP02$ Primary Domain: FOSFATOS Primary Logon ID:
(0x0,0x3E7) Client User Name: - Client Domain: FOSFATOS Client Logon ID:
(0x0,0x96A7B07) Accesses ReadData (or ListDirectory) Privileges -
------------------------------------------------------------------------
With the "Client User Name: -" refers to another thing, i dont know
exactly what.
I want to activate this alarm only when first event occur, not when a PC
is detected or a - symbol appears, if I filter to exclude de $ symbol
nothing is going to be reported, because the message contains that symbol.
Any idea how can this be done?
Thanks
A customer that have Eventlog 4.0 ask for this issues, having this log:
--------------------------LOG 1------------------------------------------
Object Open: Object Server: Security Object Type: File Object Name:
D:Bancos New Handle ID: - Operation ID: {0,159599026} Process ID: 8
Primary User Name: MXCTZAP02$ Primary Domain: FOSFATOS Primary Logon ID:
(0x0,0x3E7) Client User Name: rherrera Client Domain: FOSFATOS Client
Logon ID: (0x0,0x96A7B07) Accesses ReadData (or ListDirectory) Privileges
-
--------------------------------------------------------------------
And the problem concerning this, if we look at the "Primary User Name:
MXCTZAP02$" the name contains "$", when we look at the "Client User Name:
rherrera" it doesnt have the $ symbol.
Some other cases occur like this:
-----------------------------LOG 2--------------------------------------
Object Open: Object Server: Security Object Type: File Object Name:
D:Bancos New Handle ID: - Operation ID: {0,159599026} Process ID: 8
Primary User Name: MXCTZAP02$ Primary Domain: FOSFATOS Primary Logon ID:
(0x0,0x3E7) Client User Name: rherrera$ Client Domain: FOSFATOS Client
Logon ID: (0x0,0x96A7B07) Accesses ReadData (or ListDirectory) Privileges
-
-------------------------------------------------------------------
With the "Client User Name: rherrera$" that refers a computer.
Some other cases occur like this:
--------------------------LOG 3------------------------------------------
Object Open: Object Server: Security Object Type: File Object Name:
D:Bancos New Handle ID: - Operation ID: {0,159599026} Process ID: 8
Primary User Name: MXCTZAP02$ Primary Domain: FOSFATOS Primary Logon ID:
(0x0,0x3E7) Client User Name: - Client Domain: FOSFATOS Client Logon ID:
(0x0,0x96A7B07) Accesses ReadData (or ListDirectory) Privileges -
------------------------------------------------------------------------
With the "Client User Name: -" refers to another thing, i dont know
exactly what.
I want to activate this alarm only when first event occur, not when a PC
is detected or a - symbol appears, if I filter to exclude de $ symbol
nothing is going to be reported, because the message contains that symbol.
Any idea how can this be done?
Thanks
Topic Participants
hugo.huerta
AdventNetEventLogAnalyz
jocamane
tkettering