Share via

parse netlogon.log for user logons.

Stephen Peterson 36 Reputation points
2022-10-05T21:01:21.177+00:00

Each DC has its own windows\debug\netlogon.log file.
There are entries such as
10/3 05:14:22 [LOGON] [5868] DOMAIN: SAMLOGON: Transitive Network Logon of domain\user from computer
10/3 05:14:22 [LOGON] [6072] DOMAIN: SAMLOGON: Network Logon of \user from \computer (via computer)
10/3 05:14:22 [LOGON] [2516] DOMAIN: SAMLOGON: Network Logon of domain\computer from computer
10/3 05:14:22 [LOGON] [292] DOMAIN: SAMLOGON: Transitive Network Logon of domain\user from computer (via computer)

Im trying to write a PS script to parse the logs and pull user accounts that have been authenticated at LOGON on each DC. I dont need when someone accesses another computer or file share. Just logons. I want to find how many unique users are being authenticated at each DC.

Is there documentation anywhere on what the 5868, 6072, 2516, 292 codes are? there are over 360 unique codes in this log.
is the "Network Logon" and "transitive network logon" both authenticating users at logon?

I can write the script and parse the log, I just need to figure out what im looking for.

I dont want to read the security event logs - they are being forwarded to a log collector that is not easy to query.

Thanks in advance.

Windows for business Windows Server User experience Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,916 Reputation points
    2022-10-07T14:43:28.72+00:00

    Hello there,

    Network logon authentication is used only after interactive logon authentication has taken place. Network logon does not rely on user interface components, such as a dialog box, to collect data. Instead, previously established credentials or another method to collect credentials is used.

    The Transitive Network logon means that the logon credential has been forwarded to the computer which has captured the log files. It is commonly referred to as pass-through authentication, and via indicated the source of the authentication.

    A network logon grants a user permission to access Windows resources on the local computer in addition to any resources on networked computers as defined by the credential's access token.

    For list of event ID you can try this link https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/netlogon-event-id-5719-or-group-policy-event-1129

    ----------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.