[THIN] Re: Security Event Logs
- From: "Steve Raffensberger" <sraffens1@xxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 2 Feb 2005 13:39:54 -0500
Doug,
First, I would not place much faith in the logon/logoff events in W2K. I
once tried to use them to determine user session times. I discovered that
528's are pretty believable but 538's may get logged many hours later or not
at all. That was long ago, before UPHClean. Maybe that would have helped.
By chance, are these logons via Nfuse or WI? I've seen similar behavior
under those circumstances. I always assumed that this was the initial logon
that verified the user credentials and displayed the appropriate published
apps. Another logon event might show up at the Citrix server when it
actually hosts your app.
Raff
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Stratton, Doug MSER:EX
Sent: Wednesday, February 02, 2005 12:36 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Security Event Logs
Can anyone tell me why I would get these two security event log id
everytime I log onto a ts with w2k on it?
I looked up the events at event id web and it says 528 is a logon (this is
good) and 538 is a log off (bad) I am not logging off just on.
First
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 2005-02-02
Time: 8:45:15 AM
User: domain\dstr
Computer: servername
Description:
Successful Logon:
User Name: dstr
Domain: domain
Logon ID: (0x0,0x18A37A52)
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: server
Then
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 2005-02-02
Time: 8:45:15 AM
User: domain\dstr
Computer: server
Description:
User Logoff:
User Name: dstr
Domain: domain
Logon ID: (0x0,0x18A37A52)
Logon Type: 7
Thanks
Doug Stratton
Telephone: (250) 356-6678
Email: Doug.M.Stratton@xxxxxxxxxxxxxxx
Other related posts:
