Our sensor to detect Event ID 4732 from the security event logs (reveals an account was added to local admin group on a server) does not show User ID of the added account. It only shows the SID. It does show the SID AND the UserID of the account that was logged on at the time the account was added, but for the added account itself, the Logon ID is not shown, only the SID. How can we have PRTG show the User ID also for the added account itself?
Event ID 4732 sensor (account added to local admin group) does not show user ID
Votes:
0
5 Replies
Votes:
0
Hi there,
I'm not sure if I get you correctly. Where exactly is SID and UserID stated? Within the event message itself?
Kind regards,
Stephan Linke, Tech Support Team
Votes:
0
Correct, within the event message that PRTG shows, it correctly shows (besides the SID) the user who added an account to the local Admin group (depicted below as (anonymized by me) SOMEONESUSERID, where it correctly states the user account), but the account that was actually added, is show as a SID only (here: S-1-5-21-606537616-3266435759-3061854575-109903) and not the user ID (only "Account Name:-" ).
This is what it looks like in the message:
A member was added to a security-enabled local group. Subject: Security ID:S-1-5-21-606507616-3466433759-3051850375-104317 Account Name:SOMEONESUSERID Account Domain:OURCORP Logon ID:0x2d8449 Member: Security ID:S-1-5-21-606537616-3266435759-3061854575-109903 Account Name:- Group: Security ID:S-1-5-32-555 Group Name:Administrators Group Domain:Builtin Additional Information: Privileges:-
We were hoping it would not show Account Name:- but Account Name:ANOTHERUSERID somehow.
Created on Nov 27, 2017 10:02:40 AM
Last change on Nov 27, 2017 10:09:25 AM by
Stephan Linke [Paessler Support]
Votes:
0
Well, since the actual SAM account name is not disclosed in the message, there's no use to monitor that actual event. You might want to add a scheduled task that is executed everytime that event comes in and create a new event log entry that contains both username and the administrator who added it. The following PowerShell script should get you started:
$objSID = New-Object System.Security.Principal.SecurityIdentifier ("<user's security ID>") $objUser = $objSID.Translate( [System.Security.Principal.NTAccount]) $objUser.Value
$objUser.Value should contain the username that can be used for the new event name. If you need more specific event log monitoring, please check out monitoring historic windows events.
Kind regards,
Stephan Linke, Tech Support Team
Votes:
0
What I mean is that PRTG seems to leave out the user ID information ("Security ID"). All required information is clearly stated in the Security event with Event ID 4732 like below:
A member was added to a security-enabled local group.
Subject:
Security ID: OURCORP\"UserID of person adding the account"
Account Name: "UserID of person adding the account"
Account Domain: OURCORP
Logon ID: 0x26e1d
Member:
Security ID: OURCORP\"UserID of account added" (this is the event info we also want)
Account Name: -
Group:
Security ID: BUILTIN\Administrators
(this is the group the account was added to)
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges: -
PRTG is making use of the Event information provided in "Account Name" only, and if it were to use "Security ID", we would have all information complete. So how can we make that "Security ID" information available (rather than "Account Name" only which is only displayed at the Subject section and not at the Member section of the event.
Votes:
0
Yeah, but the message itself is not really parsed with the sensor and probably too long to be displayed in the sensor message. Guess my approach dislclosed in my previous post would be the proper way to go here. Maybe pushing them to a syslog receiver sensor could work as well, since it's easier to search within PRTG.
Kind regards,
Stephan Linke, Tech Support Team
Add comment