Skip to content

Important Notes (audit policy change on client side)

Jump to bottom
shu-tom edited this page Dec 27, 2017 · 1 revision

The windows default log setting does not provide sufficient information for LogonTracer. You must to enable the audit policy on each computer which you want to analyze logon activities.

Open Local Group Policy Editor (gpedit.msc) and drill down to following location.

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object

Enable following entries, the event ID will be recorded.

  • Account Logon
    • Audit Credential Validation
    • Audit Kerberos Authentication Service
    • Audit Kerberos Service Ticket Operations
  • Logon/Logoff
    • Audit Logon
    • Audit Special Logon

Local Group Policy Editor1

Local Group Policy Editor2

Manual

  1. Home
  2. How to Install
    1. for Linux
    2. for OS X
  3. How to Use
    1. Start LogonTracer
    2. Accessing the Web GUI
    3. Import EVTX
    4. Search and visualize the event log
    5. Importance rank of accounts and hosts
    6. Timeline
    7. User Management
    8. Case Management
  4. Combining LogonTracer with Elasticsearch
  5. Jump start with Docker
  6. Setup with Docker Compose
  7. Setup with SSL
  8. Configuration
  9. Important Notes

マニュアル(日本語)

  1. ホーム
  2. インストール
    1. Linux
    2. OS X
  3. 使用方法
    1. LogonTracerの起動
    2. Web GUIへアクセス
    3. EVTXのインポート
    4. イベントログの検索と可視化
    5. アカウントとホストの重要度
    6. タイムライン
    7. ユーザ管理
    8. ケース管理
  4. Elasticsearchとの連携
  5. Dockerイメージの使い方
  6. Docker Composeの使い方
  7. 通信の暗号化
  8. 設定情報
  9. 注意
Clone this wiki locally