i have found out that i can have a NOT search as subsearch. Here every Event is kicked out who has the logon id in EventCode 4634.
Its not a search query for Real Time searches but it kinda does its work.
Account_Name=server-evermann EventCode=4624 | eval logid=mvindex(Logon_ID, 1) | search NOT [search Account_Name=server-evermann EventCode=4634 | rename Logon_ID as logid | table logid] | table _time, logid, Source_Network_Address, host | sort - _time
The second problem is way worse, and that is something i found out through solving that problem.
A Logon Event on a DC is not like you think it is. Sometimes more than 4 Events are generated when logging on a System.
Which all have different Logon_ID's .. .a few minutes later all the Logon_ID's are marked as Logoff ( From EventCode 4634) even the connection is still established. That's because not the Logon from the user is generating the Logon Event 4624 - the Update from GPO does this. That means ive got an EventCode 4624 generatet on every Logon i do on a Server (and force a user specific GPO Update Force) which comes on every 90 minutes (depending on your configuration on how often the GPO should Update) and gets a Logoff Event when the Update is done ...
Does anyone has the same Problem with domain user logging? I simply Log all my DC's and thought i could catch all Logon and Logoff actions in my Domain. I dont think that it is nessesary to install a universal forwarder on every Server in my domain or use WMI (which is a lame piece of crap in my opinion) or is it?!
... View more