AnsweredAssumed Answered

Reduce Windows 2008 Event 4624

Question asked by Davide Ansher on Jun 7, 2018
Latest reply on Jun 8, 2018 by Davide Ansher

Hi all,

 

i have a problem with the extra (useless) information of log produced by Windows 2008. Especially this event (4624), it almost eat my licensing space. If i could remove the blue part, thus saving half the space, i'll save many GB/24h of useful space (my siem environment is really huge).

 

We send those events to Netwitness with WinRM. I can't use Snare agent on those machines (and i can't, ofc, change Windows Version ;-) ).

 

Are there other ways i can remove this lines from the log (directly on windows 2008 machines, of directly on SIEM), since they do not provide useful information and they only waste license space ? if this could be done, i'll save half the space (from 2kB log, it will become 1kB log)

 

Tyvm, and sorry for my bad english ;-) i hope i managed to explain clearly the problem.

 

David

 

 

 

  1. LogName=Security
  2. SourceName=Microsoft Windows security auditing.
  3. EventCode=4624
  4. EventType=0
  5. Type=Information
  6. ComputerName=HIDDEN
  7. TaskCategory=Logon
  8. OpCode=Info
  9. RecordNumber=6039
  10. Keywords=Audit Success
  11. Message=An account was successfully logged on.
  12. ....
  13. This event is generated when a logon session is created. It is generated on the computer that was accessed.
  14. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  15. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
  16. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
  17. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  18. The authentication information fields provide detailed information about this specific logon request.
  19. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
  20. - Transited services indicate which intermediate services have participated in this logon request.
  21. - Package name indicates which sub-protocol was used among the NTLM protocols.
  22. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Outcomes