I'm working on modifying our current Windows log setup and have ran across an issue I can't quite seem to find the answer to. We currently have nxlog configured on each DC to send windows event IDs 4624 and 4625 to a central log server for basic user login information, both successful and failed. The nxlog config works just fine but the issue I have is with excessive logon events.
When testing the config, I logged into a few different machines using my domain credentials. On each test, I received anywhere between 10 - 70 4624 events per login. They were all "Microsoft-Windows-Security-Auditing[524]: An account was successfully logged on. Logon Type: 3" type of log and always came from the same DC.
Below is a log example that is basically repeated over and over again.
Dec 17 13:02:57 dc1.domain.com Microsoft-Windows-Security-Auditing[536]: An account was successfully logged on. Subject: Security ID: ________ Account Name: -
Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: __________ Account Name: my_user_name
Account Domain: my_domain Logon ID: __________ Logon GUID:
{_________} Process Information: Process ID: 0x0 Process Name: - Network Information:
Workstation Name: Source Network Address: 192.168.1.10 Source Port: 61371
I want it to tell me that X user is logging in, but I only need 1 of those entries per login and not multiple ones.
Any help would be greatly appreciated.
Thanks, Eric
0 Answers