Tutorial: Creating a custom filter of failed logon attempts for a particular user
This tutorial shows you how to use the LANguard event viewer to create custom filters. In this tutorial we will create a filter that filters all failed logon attempts for a particular user. For this tutorial we will assume that the user we are interested in is GFIMALTA\administrator.
The information which you require to filter on is the domain and the user account. This information is contained in the fields of the description of the event and hence we need to see from which part of the description we are going to get it from. To do this we need to bring up sample events from the event viewer and see the positions where to find this information.
Failed Logon Events
The events which cover failed logon attempts are events 529, 530, 531, 532, 533, 534, 535, 536, 537, 539.
Event
ID |
Type |
Description |
| 529 |
Failure Audit |
Unknown user name or bad password. |
| 530 |
Failure Audit |
Account logon time restriction violation |
| 531 |
Failure Audit |
Account currently disabled |
| 532 |
Failure Audit |
The specified user account has expired |
| 533 |
Failure Audit |
User not allowed to logon at this computer |
| 534 |
Failure Audit |
The user has not been granted the requested logon type at this machine |
| 535 |
Failure Audit |
The specified account's password has expired |
| 536 |
Failure Audit |
The NetLogon component is not active |
| 537 |
Failure Audit |
An unexpected error occurred during logon |
| 539 |
Failure Audit |
Account locked out |
All the above Event ID records have the following message structure:
Event Origin Details:
Date & Time: %7
Within N.O.Time: %8
Source: %9
Computer: %10
User: %11
Logon Failure:
Reason:
Logon Type: %3
Logon Process: %4
Authentication Package: %5
Workstation Name: %6
Extended Details:
User SID: %12
NOTE : Event 529 is only logged on a Domain Controller. If the remote computer tries to logon and the remote computer is not NT/2000/XP (or auditing is not enabled on the remote computer) then the event 529 will not be generated.
Successful Logon Events
The events which cover successful logons are events 528 and 540.
Event
ID |
Type |
Description |
| 528 |
Success Audit |
Successful Logon |
| 540 |
Success Audit |
Successful Network Logon |
All the above Event ID records have the following message structure:
Event Origin Details:
Date & Time: %8
Within N.O.Time: %9
Source: %10
Computer: %11
User: %12
Successful Logon:
Logon ID: %3
Logon Type: %4
Logon Process: %5
Authentication Package: %6
Workstation Name: %7
Extended Details:
User SID: %13
Note: Auditing log on and log off events on Windows NT Workstation or Server versions produces records in the Security Log. However, what may appear to be identical records in the Security Log may actually record network log on and log off events, interactive log on and log off events, initial network connections to a share, or disconnects from the share.
Although these events may be identical at the summary level in the Security Log, the details screen makes some distinctions among them.
Conclusion of investigation
We have now concluded our 'investigation' of the events we want to analyze and are read to plan the filter we want to create:
We need to create a custom filter which will filter out all the successful and failed logon events and use fields %1 and %2 in order to extract the user name and domain. We also know that the field name for %1 is "User name" and for %2 it is "Domain". These two tags are referred to as EXTENDED TAGS. We will use these extended tags to create the custom filter.
The custom filter will look for events 529, 530, 531, 532, 533, 534, 535, 536, 537, 539, 528 and 540 whose extended tag field value "User name" is "administrator" and whose extended tag field value "Domain" is "GFIMALTA".
Step 1 - Creating the initial filter
Once we know from where we need to get the information the rest is just a matter of creating the filter.
1. Open the LANguard S.E.L.M. event viewer: Start > Programs > LANguard S.E.L.M. > LANguard S.E.L.M. event viewer
LANguard S.E.L.M event viewer
2. Expand the "All security events" node. Right click on the "All security events" node and select "Filter…"
Filter condition
3. Now we have to specify which events we want to filter. Double click on the Field name "Event". This will bring up the condition dialog.
Specify the condition to filter on
Enter the event ID 528 and click on OK. Repeat the process for all the events which we want to filter out, i.e. 529, 530, 531, 532, 533, 534, 535, 536, 537, 539, 528 and 540. Once done change all of the logical operations marked as AND to OR from the appropriate combo box in the main filtering dialog.
Query of the events to filter on
4. Click on the button named "Node from filter". You will see that a new node under the "All security events" will appear. Rename that node to "Logon events for administrator".
LANguard Event viewer with custom filter
From the above screen shot you can see that the filter is already showing only the events which we specified in the filtering rule, i.e. 528 OR 540 OR ……..OR 539.
From the screen shot above you can see that the user field column is not only displaying the events for GFIMALTA\administrator. This is what we will be setting next.
Step 2 – Refining the filter - Setting up the filter to only display events for a particular user.
Now, we are going to refine the filter to display the events for a particular user.
1. Right click on the "Logon events for administrator" node and select "Filter". This will bring up the filter properties for that node.
Refining the filter
2. We want to enclose the current filtering options in brackets to enable logical groupings of the conditions. Go to the first line of the filtering conditions and click on the opening bracket button which reads "+(". Go to the very last line of the filtering condition and click on the closing bracket button which reads "+)".
Adding beginning & ending brackets
3. Since we know that the required filtering information is contained in the fields in the description field and we know the extended field name tags ("user name" and "domain") we will use the Extended group settings. Click on the option "Extended Group", and the list of field name tags will be updated to contain all of the possible extended field name tags.
In the list, search for the extended tag named "User name". Double click on it and enter the value you want it to be, i.e. "administrator"
In the list, search for the extended tag named "Domain", double click on it and enter the value you want it to be, i.e. "GFIMALTA"
4. Now all that remains is that we arrange the logic of the filtering string. Both of the last values are required and hence we will enclose them in brackets and associate them with the original bracketed filtering value in order to get the required logic correct.
( EVENT 528 OR EVENT 529 OR EVENT 530 OR EVENT 531 OR EVENT 532 OR EVENT 533 OR EVENT 534 OR EVENT 535 OR EVENT 536 OR EVENT 537 OR EVENT 539 OR EVENT 540 ) AND
( User Name = administrator AND Domain = GFIMALTA)
The refined filter
Click on the line which starts with User Name and click on the opening bracket "+(". Click on the line which starts with Domain and click on the closing bracket "-(". The two main query components are in place.
5. All that we need to change is the connector logical operator between the two 'queries'. Click on the line which is just before the opening bracket of the second query part and change the connector object from OR to AND. (in this case it reads "Event = 540 ) OR"). Your query filter should look as shown in the below screen shots.
The final query
6. Click on Apply and OK. Your custom filter has been created and set up as required. Now whenever you want to check out all logon events which are related to the account GFIMALTA\administrator (in this case) all you have to do is open up the LANguard S.E.L.M. event viewer and click on this custom filter.
| 
