New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


Event ID 4732 sensor (account added to local admin group) does not show user ID

Votes:

0

Your Vote:

Up

Down

Our sensor to detect Event ID 4732 from the security event logs (reveals an account was added to local admin group on a server) does not show User ID of the added account. It only shows the SID. It does show the SID AND the UserID of the account that was logged on at the time the account was added, but for the added account itself, the Logon ID is not shown, only the SID. How can we have PRTG show the User ID also for the added account itself?

4732 eventid logonid sid

Created on Nov 21, 2017 10:31:05 AM by  ahoppe (40) 1



5 Replies

Votes:

0

Your Vote:

Up

Down

Hi there,

I'm not sure if I get you correctly. Where exactly is SID and UserID stated? Within the event message itself?


Kind regards,
Stephan Linke, Tech Support Team

Created on Nov 23, 2017 3:09:28 PM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Correct, within the event message that PRTG shows, it correctly shows (besides the SID) the user who added an account to the local Admin group (depicted below as (anonymized by me) SOMEONESUSERID, where it correctly states the user account), but the account that was actually added, is show as a SID only (here: S-1-5-21-606537616-3266435759-3061854575-109903) and not the user ID (only "Account Name:-" ).

This is what it looks like in the message:

A member was added to a security-enabled local group. Subject: Security ID:S-1-5-21-606507616-3466433759-3051850375-104317 Account Name:SOMEONESUSERID Account Domain:OURCORP Logon ID:0x2d8449 Member: Security ID:S-1-5-21-606537616-3266435759-3061854575-109903 Account Name:- Group: Security ID:S-1-5-32-555 Group Name:Administrators Group Domain:Builtin Additional Information: Privileges:-

We were hoping it would not show Account Name:- but Account Name:ANOTHERUSERID somehow.

Created on Nov 27, 2017 10:02:40 AM by  ahoppe (40) 1

Last change on Nov 27, 2017 10:09:25 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Well, since the actual SAM account name is not disclosed in the message, there's no use to monitor that actual event. You might want to add a scheduled task that is executed everytime that event comes in and create a new event log entry that contains both username and the administrator who added it. The following PowerShell script should get you started:

$objSID = New-Object System.Security.Principal.SecurityIdentifier 
("<user's security ID>")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

$objUser.Value should contain the username that can be used for the new event name. If you need more specific event log monitoring, please check out monitoring historic windows events.


Kind regards,
Stephan Linke, Tech Support Team

Created on Nov 27, 2017 10:16:55 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

What I mean is that PRTG seems to leave out the user ID information ("Security ID"). All required information is clearly stated in the Security event with Event ID 4732 like below:

A member was added to a security-enabled local group.

Subject:
Security ID: OURCORP\"UserID of person adding the account"
Account Name: "UserID of person adding the account"
Account Domain: OURCORP
Logon ID: 0x26e1d

Member:
Security ID: OURCORP\"UserID of account added" (this is the event info we also want)
Account Name: -

Group:
Security ID: BUILTIN\Administrators
(this is the group the account was added to) Group Name: Administrators
Group Domain: Builtin

Additional Information:
Privileges: -

PRTG is making use of the Event information provided in "Account Name" only, and if it were to use "Security ID", we would have all information complete. So how can we make that "Security ID" information available (rather than "Account Name" only which is only displayed at the Subject section and not at the Member section of the event.

Created on Nov 29, 2017 9:25:16 AM by  ahoppe (40) 1



Votes:

0

Your Vote:

Up

Down

Yeah, but the message itself is not really parsed with the sensor and probably too long to be displayed in the sensor message. Guess my approach dislclosed in my previous post would be the proper way to go here. Maybe pushing them to a syslog receiver sensor could work as well, since it's easier to search within PRTG.


Kind regards,
Stephan Linke, Tech Support Team

Created on Dec 1, 2017 7:56:44 AM by  Stephan Linke [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.