Microsoft KB Archive/99278

= Microsoft Knowledge Base =

Interpreting LAN Manager's Audit Log
Last reviewed: September 30, 1994

Article ID: Q99278

SUMMARY
This article addresses the following questions on LAN Manager audit log output:


 * What is the difference between an Audit log entry of type &quot;Session with text of Logoff Normal&quot; versus the type &quot;Audit with text of Log off Network&quot;?
 * What is the difference between the audit log entries &quot;Log on to Network with text of Logon User, Duration....&quot; compared to &quot;Session with text of Logon User, Duration....&quot;?
 * Why are there so many entries of &quot;Logon User - with a duration time of less than 1 second&quot;? Usually users are logged on for a longer duration right after that. Why this short time?

The short answer is these are server transactions that occur during the startup phase of a LAN Manager workstation, server and server services. A more detailed explanation follows.

MORE INFORMATION
Here is a typical audit output viewing a server startup logon pattern:

Username                Type                 Date 1 ***                   Service              12-01-92 05:01pm 2 NETLOGON Installed

3 ***                   Service              12-01-92 05:02pm 4 ALERTER Installed

5 ***                   Service              12-01-92 05:02pm 6 REPLICATOR Installed

7 ***                   Service              12-01-92 05:02pm 8 SERVER Installed

9 ***                   Server               12-01-92 05:02pm 10 Server started

11 BILLLG               Session              12-01-92 05:02pm 12 Logon Admin

13 BILLG                Log on to network    12-01-92 05:02pm 14 Logon Admin

15 BILLG                Session              12-01-92 05:02pm 16 Logoff normal, Duration: Less than one second

17 BILLG                Session              12-01-92 05:02pm 18 Logon Admin

The command completed successfully.

The 18 lines of this audit record were generated from a STARTUP.CMD file containing the following 2 lines:

NET START SERVER /AUDITING:YES NET LOGON BILLG PASSWORD /Y
 * note: Lines have been inserted in the audit log (shown above) to provide a logical grouping of transaction information with 2 transaction lines per grouping.

The first command executed in the startup.cmd (shown above) is NET START SERVER /AUDITING:YES. It generates lines 1-10 of the audit log output.

As noted above, all entries may be logically paired to show:

*Who did an activity (at what time) then showing *What activity occurred

Example
1 *** Service          12-01-92 05:01pm      < Who  performed > 2  NETLOGON Installed                        < What activity> The *** on lines 1, 3, 5, 7 and 9 indicate the Server performed the activity. After the services and server start, the audit log will contain lines 1-10.

The second command executed in the startup.cmd file is &quot;net logon Billg password /y.&quot;

One transaction that can be audited is &quot;successful session logons.&quot; (See the Microsoft LAN Manager &quot;Installation and Configuration Guide,&quot; version 2.2, page 43 for other auditing transactions).

Associated with a net logon (even executed from the server) is first a broadcast by the workstation services routines to find the server. The result of this broadcast is a *session establishment between the workstation and server to receive a request (in this case, it is established to handle a netlogon request). In the course of session establishment (similar to a net use), a user validation occurs. This results in an audit entry for 'successful session logon' as shown below.

11 BILLLG             Session              12-01-92 05:02pm 12 Logon Admin

Note: At this point we have done nothing related to the netlogon service, although the user account database is used to do a user/password validation.

Next, the workstation sends an SMB request to the server service to &quot;Logon to the Network.&quot; This request is received by the server and processed by the netlogon service. This includes validation by the netlogon service of the user's username and password, the &quot;successful network logons.&quot;

13 BILLG               Log on to network    12-01-92 05:02pm 14 Logon Admin

After this, the net logon session is disconnected from the server. This is displayed in the audit log as a logoff (actually,this is a session disconnect). For net logon, this pattern of broadcast, session establishment, net logon, and finally disconnect is normal since net logon is session based. After the net logon occurs the session is disconnected since no permanent session is required after the net logon completes.

15 BILLG               Session              12-01-92 05:02pm 16 Logoff normal, Duration: Less than one second

This reveals the following pattern (*) for net logon transactions:

* session connect  ->  [session logon] 11 BILLLG              Session              12-01-92 05:02pm 12 Logon Admin

* logon validation  -> [network logon] 13 BILLG               Log on to network    12-01-92 05:02pm 14 Logon Admin


 * session disconnect -> [session disconnect]

15 BILLG               Session              12-01-92 05:02pm 16 Logoff normal, Duration: Less than one second

Finally, if persistent connections are enabled (as in this case) a &quot;net use&quot; may occur, resulting in the session establishment of a more permanent session logon (depending on the autodisconnect value).

17  BILLG              Session              12-01-92 05:02pm 18 Logon Admin