Have you looked at the resource kit utility EVENTCOMB. It has this
functionality as a built in scan. The only difference would be to give it
some extra criteria to look for NTLM or Kerberos in the event text. The info
can be output to CSV, TXT, an Access DB or SQL Server. I believe the
current version is version 9.0.

Rob McShinsky

----- Original Message -----
From: "Brad Judy" <judy (at) colorado (dot) edu [email concealed]>
To: "'Sean Warnock'" <swarnock (at) warnocksolutions (dot) com [email concealed]>;
<FOCUS-MS (at) securityfocus (dot) com [email concealed]>
Sent: Tuesday, November 04, 2003 1:11 PM
Subject: RE: Event Log messages for failed logon attempts

> It sounds like you're trying to write something like this:
> http://pantheon.yale.edu/~kjh27/logger.html
>
> The author may be willing to distribute it beyond other EDUs if you ask.
>
> Brad Judy
>
> Information Technology Services
> University of Colorado at Boulder
>
> > -----Original Message-----
> > From: Sean Warnock [mailto:swarnock (at) warnocksolutions (dot) com [email concealed]]
> > Sent: Saturday, October 25, 2003 8:59 AM
> > To: FOCUS-MS (at) securityfocus (dot) com [email concealed]
> > Subject: Event Log messages for failed logon attempts
> >
> > I am currently working on a small script that will
> > parse the event logs of a Windows NT/2000/2003 domain
> > controller looking for failed logon attempts. I am currently
> > aware of event log message 529.
> > I believe that I have been able to generate several other
> > error messages for failed logon attempts depending upon what
> > a client is using to authenticate with (ex. Kerberos, NTLM,
> > etc...). Does anyone have any other input or articles that
> > they would suggest as the only KB article that I have found
> > so far was 299475.
> >
> > Sean
> >
> > --------------------------------------------------------------
> > -------------
> > FREE Whitepaper: Better Management for Network Security
> >
> > Looking for a better way to manage your IP security?
> > Learn how Solsoft can help you:
> > - Ensure robust IP security through policy-based management
> > - Make firewall, VPN, and NAT rules interoperable across
> > heterogeneous networks
> > - Quickly respond to network events from a central console
> >
> > Download our FREE whitepaper at:
> > http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
> > --------------------------------------------------------------
> > -------------
> >
> >
>
>
> ------------------------------------------------------------------------
--
-
> Network with over 10,000 of the brightest minds in information security
> at the largest, most highly-anticipated industry event of the year.
> Don't miss RSA Conference 2004! Choose from over 200 class sessions and
> see demos from more than 250 industry vendors. If your job touches
> security, you need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
> and use priority code SF4.
> ------------------------------------------------------------------------
--
-
>
>

------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---

[ reply ]