Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 12266 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is the event ID that the STAS need to read?

Edson Siqueira

Hi everyone, I would like to know what is the event ID that the STAS need to read? I mean when we enable the policy  "Audit account logon events" what ID of the Event Viewer the STAT read? Because on Windows we can enable a similar policy on Advanced Audit Policy Configurations.

I ask this because we are having some problems to enable this Audit Policy Security Settings > Local Policies > Audit Policy > Audit account logon events, and I see that have these similar policies on Security Settings > Local Policies > Advanced Audit Policy Configurations.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Aditya Patel

    Hi Aditya,

     

    Very thanks for your answer, this really help me. I'm in trouble with the STAS on Window Server 2008 R2, because of a bug on the Local Grup Policy, I couldn't enable the audit logon policy on this server, I mean when I enable, close the window and I open again this was disabled on "Security Settings" > Local Policies > Audit Policy. Talking with the Microsoft support I identify that on "Security Settings" > Local Policies > Advanced Audit Policy Configurations we can enable "logon/logoff" policy wich is equivalent of the policys on "Security Settings" > Local Policies > Audit Policy, I mean collect the same event ID that you said (event ID 4768).

     

    But I face another problem on STAS, this continue to doesn't show the current users logged on my AD, could you help me with this? Take a look at the STAS log, you will see that the STAS get the event ID 4768, but could not go ahead and logging the following error: ERROR [0x9cc] 29/06/2017 09:31:00 : wrkstpoll_workerthread_wmi: couldnt connected to WMI Namespace '\\192.168.5.40\root\cimv2': 0x800706ba

     

    Following part of the log:

     

    DEBUG [0x9bc] 29/06/2017 09:31:00 : dca_eventlog: got Kerberos authentication event

    MSG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_kerberos: UserName: gateway

    MSG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_kerberos: DomainName: centricsystem

    MSG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_kerberos: IPv6 WorkstationIP: :

    DEBUG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_kerberos: localhost ip given from AD(127.0.0.1)
    DEBUG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_kerberos: finding interface with internet traffic
    ERROR [0x9cc] 29/06/2017 09:31:00 : wrkstpoll_workerthread_wmi: couldnt connected to WMI Namespace '\\192.168.5.40\root\cimv2': 0x800706ba

    DEBUG [0x9c4] 29/06/2017 09:31:00 : wrkstpoll_workerthread_wmi: no loggedin user found

    MSG [0x9c4] 29/06/2017 09:31:00 : wrkstpoll_handle_logoff_req: Request received from CR

    DEBUG [0x9c4] 29/06/2017 09:31:00 : threadpool_finishnotify: Thread ID: 0x9c4

    DEBUG [0x9c4] 29/06/2017 09:31:00 : threadpool_finishnotify: Reset Event

    DEBUG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_kerberos: interface found with ip 1
    MSG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_kerberos: IPv4 WorkstationIP: 192.168.5.2

    DEBUG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_common: Event ID: 4768

    DEBUG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_common: EventType: AuditSuccess

    DEBUG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_common: CreateTime: 1498739460

    DEBUG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_common: ExpireTime: 1498740065

    DEBUG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_common: LogonType: 2

    DEBUG [0x9bc] 29/06/2017 09:31:00 : threadpool_run: Submitting Function 0x40a7f0

    DEBUG [0x9bc] 29/06/2017 09:31:00 : threadpool_run: adding function at tail

    DEBUG [0x9bc] 29/06/2017 09:31:00 : list_add_tail: first element added

    DEBUG [0x9bc] 29/06/2017 09:31:00 : threadpool_run: get free thread: ThreadID: 0x9c4

    DEBUG [0x9bc] 29/06/2017 09:31:00 : dca_enqueue_userinfo: callback submitted

    DEBUG [0x9c4] 29/06/2017 09:31:00 : threadpool_threadproc: New Function added

    DEBUG [0x9bc] 29/06/2017 09:31:00 : dca_eventlog: userinfo enqueued to dca processor

    DEBUG [0x9c4] 29/06/2017 09:31:00 : list_remove_head: last element removed

    DEBUG [0x9bc] 29/06/2017 09:31:00 : dca_eventlog: got security event: ID: 4768 <-> Type: 8

    DEBUG [0x9c4] 29/06/2017 09:31:00 : threadpool_get_threadproc: Function 0x40a7f0

    DEBUG [0x9bc] 29/06/2017 09:31:00 : dca_eventlog: got Kerberos authentication event

    DEBUG [0x9c4] 29/06/2017 09:31:00 : threadpool_threadproc: Executing Function 0x40a7f0

    MSG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_kerberos: UserName: gateway

    DEBUG [0x9c4] 29/06/2017 09:31:00 : dca_filter_by_domainname: Domain 'centricsystem' has been Filtered-Out

    MSG [0x9bc] 29/06/2017 09:31:00 : init_userinfo_kerberos: DomainName: centricsystem

    DEBUG [0x9c4] 29/06/2017 09:31:00 : threadpool_finishnotify: Thread ID: 0x9c4