locked
resolveSIDs not working? RRS feed

  • Question

  • User531388329 posted
    using 2.2 against a w2k3 Domain Controller.

    this syntax:

    logparser.exe "SELECT TimeWritten,EventID,ComputerName,Message FROM \\server\security WHERE EventID IN (642) ORDER BY TimeWritten DESC" -o:NAT -rtp:-1 -filemode:0

    gets me:

    2005-07-11 08:55:48 642 server User Account Changed: Target Account Na
    me: johnsmith Target Domain: DOMAIN Target Account ID: %{S-1-5-21-1740716941-1587943
    272-5522801-7103} Caller User Name: ANONYMOUS LOGON Caller Domain: NT AUTHORITY
    Caller Logon ID: (0x0,0x2BCD28F) Privileges: - Changed Attributes: Sam Account N
    ame: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Sc
    ript Path: - Profile Path: - User Workstations: - Password Last Set: 7/11/2005 8
    :55:48 AM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC
    Value: - New UAC Value: - User Account Control: - User Parameters: - Sid History
    : - Logon Hours: -

    this syntax:

    logparser.exe "SELECT TimeWritten,EventID,ComputerName,Message FROM \\server\security WHERE EventID IN (642) ORDER BY TimeWritten DESC" -o:NAT -rtp:-1 -filemode:0 -resolveSIDs:on

    gets me:

    2005-07-11 08:55:48 642 server User Account Changed: Target Account Na
    me: johnsmtih Target Domain: DOMAIN Target Account ID: %{S-1-5-21-1740716941-1587943
    272-5522801-7103} Caller User Name: ANONYMOUS LOGON Caller Domain: NT AUTHORITY
    Caller Logon ID: (0x0,0x2BCD28F) Privileges: - Changed Attributes: Sam Account N
    ame: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Sc
    ript Path: - Profile Path: - User Workstations: - Password Last Set: 7/11/2005 8
    :55:48 AM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC
    Value: - New UAC Value: - User Account Control: - User Parameters: - Sid History
    : - Logon Hours: -

    a copy and paste of the event mesage from the server yields:

    User Account Changed:
    Target Account Name: johnsmith
    Target Domain: DOMAIN
    Target Account ID: DOMAIN\johnsmith
    Caller User Name: ANONYMOUS LOGON
    Caller Domain: NT AUTHORITY
    Caller Logon ID: (0x0,0x2BCD28F)
    Privileges: -
    Changed Attributes:
    Sam Account Name: -
    Display Name: -
    User Principal Name: -
    Home Directory: -
    Home Drive: -
    Script Path: -
    Profile Path: -
    User Workstations: -
    Password Last Set: 7/11/2005 8:55:48 AM
    Account Expires: -
    Primary Group ID: -
    AllowedToDelegateTo: -
    Old UAC Value: -
    New UAC Value: -
    User Account Control: -
    User Parameters: -
    Sid History: -
    Logon Hours: -



    any ideas?

    tia,

    JoS
    Tuesday, August 21, 2007 2:21 AM

All replies

  • User531388329 posted

    ResolveSIDs is supposed to resolve the SID returned in the 'SID' field; it has no effect on SID's embedded in the 'Message' or 'Strings' field. EventViewer has a special hack to resolve '%<sid>' which LP does not implement....

    One thing you can do is add a "RESOLVE_SID(EXTRACT_TOKEN(Strings, 2, '|'))" to your SELECT (I'm assuming the SID is the third string in the 'Strings' field).

    Tuesday, July 12, 2005 8:30 AM
  • User531388329 posted
    many thanks for the reply - i will try it out and let you know. also, thanks for the great tool! any word on 3.0 and the support for multiple inputs in the same query?
    Tuesday, July 12, 2005 8:49 AM
  • User531388329 posted
    Working on it.....can't say anything about dates yet, sorry :-)
    Friday, July 15, 2005 9:04 AM
  • User531388329 posted
    A similar hack (turned on/off with an -i:EVT option, of course, since it is a hack) would be extremely helpful for log consolidation. As an aside, what are the performance implications to such resolution; how much work does it take to resolve an SSID? Perhaps caching is in order?

    Thanks,
    Mathew Johnston
    Thursday, July 28, 2005 11:27 AM
  • User531388329 posted

    LP does cache SID's, so resolving 100 times a single SID has roughly the same cost as resolving it once.

    For each SID resolution, the cost depends on whether or not it's a domain account or a local account.

    Local lookup is cheap; domain lookup is expensive.

    Sunday, July 31, 2005 6:00 PM