successfully recorded trigger.650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/24/wKiom1X2XSjTftLOAAHnt42-1BY469.jpg "title=" 7.png " alt= "Wkiom1x2xsjtftloaahnt42-1by469.jpg"/>The expression for the trigger is as follows:{Template Windows Event log:eventlog[security, "Success Audit", ^4624$,,skip].nodata}=0 {Template windows Event log:eventlog[security,, "Success Audit",, ^4624$,,skip].str (ADVAPI)}=0The meaning of the expression is: i
, if omitted skip, will monitor the above conditions of the history log information. Information Type: LogMonitoring interval: 60s7-day history retention period3.2.2) Account Login Failure monitoring entry:Eventlog[security,, "Failure Audit",, ^6281$,,skip]650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/8C/E3/wKiom1h8jYqyAC-ZAABtACYUEdY591.png-wh_500x0-wm_ 3-wmp_4-s_921395204.png "title=" 1.png "alt=" Wkiom1h8jyqyac-zaabtacyuedy591.png-wh_50 "/>3.3) Create a trigger:3.3.1) landing a
folder or printer through plaintext authentication. As far as I know, this type of logon is only when you log on from an ASP script that uses ADVAPI or if a user logs on to IIS using Basic authentication. The ADVAPI is listed in the Login procedure column.
Login Type 9: New voucher (newcredentials)
When you run a program using the runas command with the/netonly parameter, runas runs it with the locally c
considers the unlock operation to be a type 7 login, and the failed type 7 login indicates that someone has entered the wrong password or someone is trying to unlock the computer.
Login Type 8: Network plaintext (Networkcleartext)
This login indicates a network login like Type 3, but the password for this login is transmitted through clear text on the network, and the WindowsServer service is not allowed to connect to the shared folder or printer through plaintext authentication. As far as I k
request. Please refer to the event log for more detail information. Please contact the server Administrator for assistance.
(ii) Security log records (2 article)
Event Type: Failure audit
Event Source: Security
Event Type: Logon/Logoff
Event id:529
Date: 2001-9-9
Event: 11:17:07
User: NT Authoritysystem
Computer: MYSERVER
Describe:
Login failed:
Reason: Unknown user name or bad password
User name: Iwam_myserver
Domain: Mydom
Logon Type: 4
Logon process: Adv
page for a link to the information you want.
Click the Refresh button, or try again later.
HTTP 500-Internal server error
Internet Information Services
--------------------------------------------------------------------------------
Technical information (Personal support)
Detailed information:
Microsoft Support
Or is:
Server Application Error
The server has encountered an error while loading a application during the processing of your of request. Please refer to the event log for more detail i
information. Click Refresh or try again later. HTTP 500-Internal Server Error Internet Information Service -------------------------------------------------------------------------------- Technical Information (Personal Support) Details: Microsoft support Or: Server application error The server has encountered an error while loading an application during the processing of your request. Please refer to the event log for more detail information. Please contact the server administrator fo
loading a application during the processing of your of request. Please refer to the event log for more detail information. Please contact the server Administrator for assistance.
(ii) Security log records (2 article)
Event Type: Failure audit
Event Source: Security
Event Type: Logon/Logoff
Event id:529
Date: 2001-9-9
Event: 11:17:07
User: NT Authority\System
Computer: MYSERVER
Describe:
Login failed:
Reason: Unknown user name or bad password
User name: Iwam_myserver
Domain: Mydom
Support
Or is:
Server Application Error
The server has encountered an error while loading a application during the processing of your of request. Please refer to the event log for more detail information. Please contact the server Administrator for assistance.
(ii) Security log records (2 article)
Event Type: Failure audit
Event Source: Security
Event Type: Logon/Logoff
Event id:529
Date: 2001-9-9
Event: 11:17:07
User: NT Authority\System
Computer: MYSERVER
Describe:
Login faile
for more detail information. Please contact the server Administrator for assistance.
(ii) Security log records (2 article)
Event Type: Failure audit
Event Source: Security
Event Type: Logon/Logoff
Event id:529
Date: 2001-9-9
Event: 11:17:07
User: NT Authority\System
Computer: MYSERVER
Describe:
Login failed:
Reason: Unknown user name or bad password
User name: Iwam_myserver
Domain: Mydom
Logon Type: 4
Logon process: Advapi
Authentication Package: MIC
plaintext (NetworkCleartext)This type of Logon indicates that this is a network login like type 3, but the login password is transmitted in plaintext over the network, windows server does not allow you to connect to a shared folder or printer through plaintext verification, as far as I know, this type of logon is only possible if you log on from an ASP script using Advapi or a user logs on to IIS using basic authentication. The "Logon Process" column
(Markl) 22-aug-1989\ Sdktools \ imagehlp \ rebase. C mark lucovsky (Markl) 30-apr-1993\ Sdktools \ imagehlp \ rebasei. C mark lucovsky (Markl) 30-apr-1993\ Sdktools \ imagehlp \ smashlck. C mark lucovsky (Markl) 30-apr-1993\ Windows \ base \ advapi. h mark lucovsky (Markl) 18-sep-1990\ Windows \ base \ Client \ Alpha \ context. C mark lucovsky (Markl) 28-sep-1990\ Windows \ base \ Client \ i386 \ context. C mark lucovsky (Markl) 28-sep-1990\ Windows
detail information. Please contact the server Administrator for assistance.
(ii) security logging (2) Event Type: Failure Audit Event Source: Type of Event: Logon/Logoff Event id:529 Date: 2001-9-9 Event: 11:17:07 User : NT AUTHORITY\SYSTEM Computer: MyServer Description: Logon failed: Reason: Unknown user name or password error Username: iwam_myserver Domain: mydom Logon Type: 4 Logon process: ADVAPI Authentication package: MICROSOFT
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.