Search Knowledge Base

RELATED LINKS • LogClarity® Solution Overview • LogClarity® Domain Controller Edition • LogClarity® Database Edition • LogClarity® Server Edition • LogClarity® Syslog Edition

KB ID:	10003
Last Revision:	November 26, 2006
Version:	1.0

Search:  Find all computers that a specific user has log onto.

The primary logons to a computer are logged as:

• Successful Logon (ID: 528)
• Service Ticket Request (ID: 673)

On top of Successful Logons (ID: 528), logons to remote machines might be logged as a Service Ticket Request (ID: 673).  Service Ticket Requests are more accurate when using Log Fidelity's solution because domain controllers log multiple identical Service Ticket Requests during the entire session when the user is logged on, but Log Fidelity's solution filters out all the multiple Service Ticket Requests and only logs one Service Ticket Request when the logon actually happens.  The only difference between Successful Logons and Service Ticket Requests is that the IP logged by a Successful Logon sometimes contains the IP address of the remote computer if the user is logging in remotely via Terminal Service (aka Remote Desktop) whereas the IP logged in the Service Ticket Request is always the IP Address of the computer being logged onto. 

PREREQUISITES

The name (aka sAMAccountName) of the user.

ESTIMATED QUERY TIME

< 1 second.

METHOD 1 (Quick Search)

1.  Enter in the username in the Quick Search field and click Go.
2.  (If needed) Turn off "Activity logs BY object" and "Activity logs TO object"
3.  (If needed) Turn on Smart Filter and disable any events that contain information that does not contain logs you are not looking for.

Note: A Service Ticket Request is also logged when the user authenticates via Kerberos (for example Outlook uses Kerberos to authenticate to a Microsoft Exchange Server.) In this scenario, you can use the Smart Filter to filter out Kerberos authentications that are not logons.

METHOD 2 (Advanced Search)

1.  Enter the username in the Client Name field.
2.  Select Logon Events only.
4.  Select "Success" in the Type field.
4.  Click Submit.

LIKELY SCENARIOS IT APPLIES TO

• User account credentials or authentication information has been breached and you want to investigate the activity of this account.
• You want to know what computers a particular user has been logging onto.
• You want the usage information of a user.

FINE TUNE YOUR SEARCH

If you know the time scope, domain of the computers, or want to restrict your searches to users in a specific domain you can fine tune your search.