What are the different Windows Event ID's when a user logs in/ logs out Unix/Linux machines joined to the domain.
1) Event 538 - account logoff
2) Event 540 - account logon
These only show as success records:
a) for users, shows user name as AD username and shows IP address
b) for machines, shows machine name as AD username and shows IP address
3) Event 627 - change password (can happen for machine accounts, too)
4) Event 644 - account lockout
5) Event 672 - authentication ticket
6) Event 673 - service ticket request
7) Event 675 - pre-authentication failed
a) If the password fails, UNIX machines will raise error 675 – “pre-authentication failed”.
b) This is different than Windows machines, that raise error 529.
8) UNIX machines also won’t record incorrect user names in the Windows Event log.
This is because DirectControl checks if the username exists in the Zone before attempting to authenticate.
If the username doesn’t exist, NSS falls through to the next item (typically “files”)
References: KB-0498: Failed login attempts do not get audited in Security Event Log
9) Event 4771 - Kerberos login failure
10) Event 4740 - Account Lockout