Ive got a question about the above field. Its presented in Windows auth logs. From what i know about Windows logs there are affectively 9 Types (2,3,4,5,7,8,9,10,11) So i setup alerts to pick up particular logontype failures. I've noticed I'm not getting any results at all apart from logontype 3. So I'm guessing this isnt the "LogonType" i thought it was? Any thoughts?
Network logon—This logon occurs when you access remotefile shares or printers. Also, most logons to Internet Information Services (IIS) are classified as network logons, other than IISlogons that use the basic authentication protocol (those are logged as logon type 8).
Majority I see are 2, 4, 5, 9 and 10.
this might be useful:
The common logon types are the following.
a) Logon Type (2): Console logon – interactive from the computer console
b) Logon Type (3): Network logon – network mapping (net use/net view)
c) Logon Type (4): Batch logon – scheduler
d) Logon Type (5): Service logon – service uses an account
e) Logon Type (6): Proxy Logon
f) Logon Type (7): Unlock Workstation
g) Logon Type (8): NetworkClearText ( Reserved for cleartext Logons over the network)
h) Logon Type (9): NewCredentials (Initated by using runas command with the /netonly )
i) Logon Type (10): Remote Interactive (Recorded for Terminal Service Logons)
j) Logon Type (11): Cached Interactive (Recorded when cached credentials are used to
logon locally to a computer)