事件日志审核AD获取用户的IP [英] EventLog Auditing AD Get User IP
本文介绍了事件日志审核AD获取用户的IP的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
哪些审核设置应以看AD登录的用户的IP地址启用?
Which auditing settings should be enabled in order to see AD logged in user's ip address?
推荐答案
在任何域服务器,在事件日志中,你可以找到你要的信息
On any Domain Server, in the event log, you can find the information you ask for
下面是一个用户登录事件4624的提取和注销事件4634,你可以让悫由名为TargetLogonId数据的事件的关系。该IP联系地址是名为IpAdress数据。
Here is the extraction of a user login Event "4624" and logout Event "4634" you can make a relation betwen the events by the data named TargetLogonId. The IP adress is in data named IpAdress.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2011-05-26T11:09:52.930000000Z" />
<EventRecordID>33354</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="3244" />
<Channel>Security</Channel>
<Computer>WM2008R2ENT.dom.fr</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-314535540-1235592268-145203568-1000</Data>
<Data Name="TargetUserName">WM2008R2ENT2$</Data>
<Data Name="TargetDomainName">MOD</Data>
<Data Name="TargetLogonId">0x6ded7f</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">
</Data>
<Data Name="LogonGuid">{7B3D7A34-80A9-F1B2-CCF1-7F783ED88C28}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">192.168.183.101</Data>
<Data Name="IpPort">51243</Data>
</EventData>
</Event>
下面是一个用户注销事件4634
Here is the extraction of a user logout Event "4634"
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2011-05-26T11:10:03.070625000Z" />
<EventRecordID>33355</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="3244" />
<Channel>Security</Channel>
<Computer>WM2008R2ENT.dom.fr</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-314535540-1235592268-145203568-1000</Data>
<Data Name="TargetUserName">WM2008R2ENT2$</Data>
<Data Name="TargetDomainName">MOD</Data>
<Data Name="TargetLogonId">0x6ded7f</Data>
<Data Name="LogonType">3</Data>
</EventData>
</Event>
这篇关于事件日志审核AD获取用户的IP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
