Access Denied: Using Log Parser to Audit Domain Logons

For auditing purposes, I'd like to keep track of logons to my domain whether they are successful (event ID 528—Successful Logon) or not (event ID 529—Logon Failure). I don't need to track all event ID 540 (Successful Network Logon) events. I've tried configuring filters, but I could set up only one filter at a time. Can you help me?

First, let me say that using Audit logon events, the audit category that generates event IDs 528, 529, and 540, isn't an accurate way to track logons to your domain. The Audit logon events category captures logons to the actual physical domain controller (DC) but doesn't capture logons by workstation users who use domain accounts to log on to the domain. To capture those events, you need to enable auditing on the local workstation. With Windows 2000 and later, you should use the Audit account logon events audit category, which logs each authentication that the DC performs whether the logon is local or originates from a workstation or server on the network.

To monitor successful domain logons, check all your DCs for event IDs 672 (Authentication Ticket Granted) and 680 (Account Used for Logon by %1). To monitor for logons that failed because of a bad password, look for event ID 675 (Pre-authentication failed) with failure code 0x18 and event ID 681 (The logon to account: %2 by: %1 from workstation: %3 failed. The error code was: %4) with error code 3221225578. For more information about auditing logon events and the differences between the two audit categories, see the Windows & .NET Magazine article "Audit Account Logon Events," March 2001, InstantDoc ID 19677.

Second, you're right that Event Viewer lets you configure only one filter at a time. However, you can create a custom console that includes multiple instances of Event Viewer. See "Monitoring Security with Custom MMC Consoles," March 2004, InstantDoc ID 41574, for details about how to create a custom console that contains multiple Security log views.

The best way to filter your Security logs for logon-related events, however, is to use the Log Parser tool. Log Parser lets you use SQL-like queries to extract data from log files. You can download the tool from http://www .microsoft.com/windows2000/downloads/tools/logparser/default.asp.

Listing 1 shows a LogParser command that queries the local computer's Security log for event ID 675 with failure code 0x18 and event ID 681 with error code 0xC000006A, then sorts the results by event ID, date, and time. (If you want to run this command on Windows Server 2003, you must first change EventID = 681 to EventID = 680 because of changes in the Windows 2003 Security log.) Figure 1 shows the resulting text file. You can view the file directly or import it into Microsoft Access and format it into a report.