Microsoft KB Archive/98833

= Interpreting LAN Manager's Audit Log =

Article ID: 98833

Article Last Modified on 10/31/2006



This article was previously published under Q98833



SUMMARY
This article answers these questions related to the LAN Manager audit log output:


 * What is the difference between an Audit log entry of type &quot;Session&quot; with text of &quot;Logoff Normal&quot; versus the type &quot;Audit&quot; with text of &quot;Log off Network&quot;?
 * What is the difference between the audit log entries &quot;Log on to Network&quot; with text of &quot;Logon User, Duration...&quot; compared to &quot;Session&quot; with text of &quot;Logon User, Duration...&quot;?
 * Why are there so many entries of &quot;Logon User - with a duration time of less than 1 second&quot;? Usually users are logged on for a longer duration right after that. Why this short time?

Briefly, these are server transactions that occur during the startup phase of a LAN Manager workstation, server, and server services. A more detailed explanation is provided below. The explanation works through an extended example; it does not address these three questions under separate headings.



MORE INFORMATION
Here is a typical audit output viewing a server startup logon pattern: Username                Type                 Date --

1 ***                   Service              12-01-92 05:01pm 2  NETLOGON Installed

3 ***                   Service              12-01-92 05:02pm 4  ALERTER Installed

5 ***                   Service              12-01-92 05:02pm 6  REPLICATOR Installed

7 ***                   Service              12-01-92 05:02pm 8   SERVER Installed

9 ***                   Server               12-01-92 05:02pm 10  Server started

11 BILLG                Session              12-01-92 05:02pm 12  Logon Admin

13 BILLG                Log on to network    12-01-92 05:02pm 14  Logon Admin

15 BILLG                Session              12-01-92 05:02pm 16  Logoff normal, Duration: Less than one second

17 BILLG                Session              12-01-92 05:02pm 18  Logon Admin The command completed successfully. The 18 lines of this audit record were generated from a STARTUP.CMD file containing the following lines:   net start server /auditing:yes net logon billg password /y Note: Lines have been inserted in the audit log (shown above) to provide a logical grouping of transaction information with two transaction lines per grouping.

The first command executed in the STARTUP.CMD (shown above) is &quot;NET START SERVER /AUDITING:YES&quot;. This generates lines 1-10 of the audit log output.

As noted above, all entries may be logically paired to show:


 * Who did an activity (at what time)
 * What activity occurred

Example
1 *** Service          12-01-92 05:01pm       2  NETLOGON Installed                         The *** on lines 1, 3, 5, 7, and 9 further above indicate the server performed the activity. After the services and server start, the audit log contains lines 1-10.

The second command executed in the STARTUP.CMD file is &quot;net logon Billg password /y&quot;.

The &quot;successful session logon&quot; transaction is one that can be audited. (See page 43 of the Microsoft LAN Manager &quot;Installation and Configuration Guide,&quot; version 2.2 for other auditing transactions).

Associated with a NET LOGON (even executed from the server) is first a broadcast by the workstation services routines to find the server. This broadcast results in a session establishment between the workstation and server to receive a request (in this case, to handle a NET LOGON request). In the course of session establishment (similar to a NET USE), a user validation occurs. This results in an audit entry for &quot;successful session logon&quot; as shown below. 11 BILLG             Session              12-01-92 05:02pm 12  Logon Admin Note: At this point we have done nothing related to the NET LOGON service, although the user account database is used for a user/password validation.

Next, the workstation sends a Server Message Block (SMB) request to the server service to &quot;logon to the network&quot;. This request is received by the server and processed by the NET LOGON service. This includes validation by the NET LOGON service of the user's username and password. This is the &quot;successful network logon&quot;. 13 BILLG               Log on to network    12-01-92 05:02pm 14  Logon Admin After this, the NET LOGON session is disconnected from the server. This is displayed in the audit log as a logoff (actually, this is a session disconnect). For NET LOGON, this pattern of broadcast, session establishment, NET LOGON, and disconnect is normal because NET LOGON is session based. After the NET LOGON occurs, the session is disconnected because no permanent session is required after the NET LOGON completes. 15 BILLG               Session              12-01-92 05:02pm 16  Logoff normal, Duration: Less than one second This reveals the following pattern (*) for NET LOGON transactions:  * session connect   ->  [session logon] 11 BILLG              Session              12-01-92 05:02pm 12  Logon Admin

* logon validation  -> [network logon] 13 BILLG               Log on to network    12-01-92 05:02pm 14  Logon Admin

* session disconnect -> [session disconnect] 15 BILLG               Session              12-01-92 05:02pm 16  Logoff normal, Duration: Less than one second Finally, if persistent connections are enabled (as in this case), a NET USE may occur, resulting in session establishment of a more permanent session logon (depending on the autodisconnect value). 17  BILLG              Session              12-01-92 05:02pm 18  Logon Admin

