locked
Event Log understanding RRS feed

  • Question

  • Hello everyone. I'm doing some research on event logs and trying to understand how they should be appearing, but my studies and what I actually see isn't lining up, and the instructor didn't really clear it up either. Any help would be greatly appreciated.

    What I understand:

    A user logs in on a regular client with a domain account:

    • 4624 log created on that client
    • 4768 log created on the Domain Controller
    • 4625 log created on the client if log in is unsuccessful.
    • 4772 log created on the Domain Controller if authentication fails
    • Logon type is 2 (interactive).

    A user logs in on a client with a local account

    • 4624 log created on that client
    • Authentication log is on the client as well (cant recall the log number)
    • Logon type is 2 (interactive).

    What I see in practice

    • Several 4625 logs on the domain controller with the client hostname as the account name. Logon type 3.
    • Several 4624 logs on the domain controller with the client hostname as the account name. Logon type 3.
    • Several 4625 logs on the domain controller from Local accounts. Logon type 3 (Network).

    I read that the clients have to "logon" as well, so this is may be why I am seeing the logons with hostnames as the account name, but what exactly does that mean? And if it is unsuccessful, does that just mean it couldn't get on to the domain?

    I believe I've read that when a client is connected/reconnected to the domain the local accounts attempt to authenticate to the domain. Is this true?

    Thank you for the help.


    • Edited by Sanjinkan Wednesday, September 26, 2018 5:05 PM
    Wednesday, September 26, 2018 5:05 PM

Answers

All replies