This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Reduce Windows 2008 Event 4624

DavideAnsher
Beginner
Beginner

‎2018-06-07 02:49 PM

Hi all,

 

i have a problem with the extra (useless) information of log produced by Windows 2008. Especially this event (4624), it almost eat my licensing space. If i could remove the blue part, thus saving half the space, i'll save many GB/24h of useful space (my siem environment is really huge).

 

We send those events to Netwitness with WinRM. I can't use Snare agent on those machines (and i can't, ofc, change Windows Version 😉 ).

 

Are there other ways i can remove this lines from the log (directly on windows 2008 machines, of directly on SIEM), since they do not provide useful information and they only waste license space ? if this could be done, i'll save half the space (from 2kB log, it will become 1kB log)

 

Tyvm, and sorry for my bad english 😉 i hope i managed to explain clearly the problem.

 

David

 

 

 

  1. LogName=Security
  2. SourceName=Microsoft Windows security auditing.
  3. EventCode=4624
  4. EventType=0
  5. Type=Information
  6. ComputerName=HIDDEN
  7. TaskCategory=Logon
  8. OpCode=Info
  9. RecordNumber=6039
  10. Keywords=Audit Success
  11. Message=An account was successfully logged on.
  12. ....
  13. This event is generated when a logon session is created. It is generated on the computer that was accessed.
  14. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  15. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
  16. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
  17. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  18. The authentication information fields provide detailed information about this specific logon request.
  19. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
  20. - Transited services indicate which intermediate services have participated in this logon request.
  21. - Package name indicates which sub-protocol was used among the NTLM protocols.
  22. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
0 Likes
3 REPLIES 3

EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)

‎2018-06-07 04:11 PM

Davide Ansher‌,

 

I've moved your question to the RSA NetWitness Platform" data-type="space space, where it will be seen by the product's support engineers, other customers and partners.  Please bookmark this page and use it when you have product-specific questions.

 

Alternatively, from the RSA Customer Support" data-type="space page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question.  From there, scroll to RSA NetWitness Platform" data-type="space and click Ask A Question.  That way your question will appear in the correct space.

Regards,

Erica

0 Likes

SravanKoneti1
Beginner
Beginner

‎2018-06-08 04:06 AM

Hi David,

 

This can be done using steps mentioned in https://community.rsa.com/message/892052 

0 Likes

DavideAnsher
Beginner
Beginner
In response to SravanKoneti1

‎2018-06-08 12:59 PM

hi sravan, thank you for your answer. i already saw the link you provided, but i can't use snare, i can't install agent at all. i am limited to the use of winrm. is there a way without the use of an agent ?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.