Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,204 questions
Who is logging in - netlogon.log
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 15%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Stephen Peterson
26
Reputation points
Each DC has its own windows\debug\netlogon.log file.
There are entries such as
10/3 05:14:22 [LOGON] [5868] DOMAIN: SAMLOGON: Transitive Network Logon of domain\user from computer
10/3 05:14:22 [LOGON] [6072] DOMAIN: SAMLOGON: Network Logon of \user from \computer (via computer)
10/3 05:14:22 [LOGON] [2516] DOMAIN: SAMLOGON: Network Logon of domain\computer from computer
10/3 05:14:22 [LOGON] [292] DOMAIN: SAMLOGON: Transitive Network Logon of domain\user from computer (via computer)
Im trying to write a PS script to parse the logs and pull user accounts that have been authenticated at LOGON on each DC. I dont need when someone accesses another computer or file share. Just logons. I want to find how many unique users are being authenticated at each DC.
Is there documentation anywhere on what the 5868, 6072, 2516, 292 codes are? there are over 360 unique codes in this log.
is the "Network Logon" and "transitive network logon" both authenticating users at logon?
I can write the script and parse the log, I just need to figure out what im looking for.
I dont want to read the security event logs - they are being forwarded to a log collector that is not easy to query.
Thanks in advance.