Interpreting JSON Audit Logs
Introduction
With JSON audit logging enabled, details of various events are logged in a regular way in JSON format. Each event has many attributes, but what do these attributes mean? This page aims to help.
The outermost layer has three elements: a timestamp, a type, and a data object that is indexed by the named type.
{ "type": one of "Authentication", "Authorization", "dsdbChange", "dsdbTransaction", "passwordChange", "replicatedUpdate", "groupChange", "timestamp": 2023-01-12T22:50:50.000000+00:00, type: { data } }
the type indicates which table you should look in below to understand the data.
common fields
Attribute | meaning |
---|---|
version | a version number for the JSON format. It has two parts.
A change in possible values does not usually trigger a version change. This is obviously true for client supplied data, but also applies to e.g. passwordType, where the set of supported password formats can change over time without changing the JSON version. |
Authentication
Note: Some attributes will still be present when they are inapplicable. For example, if not using NETLOGON (per "serviceDescription"), "netlogonComputer" will be set to "null", "netlogonNegotiateFlags" will be "0x00000000", and other netlogon fields will have similarly empty values.
Regarding the client-, mapped-, and became- account and domain attributes, these follow track the process of the identity claim through various layers. The client has given the client values, which might get converted to different mapped values. If the authentication is successful, the became- attributes pertain to the account we actually ended up with. Do not be surprised if these are often very similar.
Attribute | meaning |
---|---|
authDescription | the authentication type, including:
|
becameAccount | the account name logged in as. This may differ from the account supplied by the client. |
becameDomain | the domain logged into. |
becameSid | the SID of the authenticated account. |
clientAccount | the reported account name from the client. |
clientDomain | the reported domain name from the client. |
duration | how long the authentication took in microseconds (up until this field was written). |
eventId | a Windows event ID, indicating in broad terms what happened. |
localAddress | the server address and port used. |
logonId | a random 64 bit identifier to help trace logon events through different stages. |
logonType | Windows logon type, for Samba one of
|
mappedAccount | the client account name translated to an AD account name. |
mappedDomain | the client domain translated to an AD domain name. |
netlogonComputer | the claimed computer name in NETLOGON RPC authentication. |
netlogonNegotiateFlags | NETLOGON negotiation option flags, documented in MS-NRPC 3.1.4.2. |
netlogonSecureChannelType | indicates the type of NETLOGON channel used. See MS-NRPC 2.2.1.3.13. |
netlogonTrustAccount | account used in NETLOGON authentication. |
netlogonTrustAccountSid | SID belonging to the NETLOGON trust account. |
passwordType | indicates the password algorithm/protocol (e.g. "HMAC-SHA256", "NTLMv2", "arcfour-hmac-md5"). |
remoteAddress | the claimed address (and port) of the remote client. |
serviceDescription | indicates the service type, for example "LDAP", "SMB2", "NETLOGON". |
status | an NT STATUS message. For a successful authentication this will be "NT_STATUS_OK". Unsuccessful authentications may have "NT_STATUS_OK" here if the authentication fails after this message is logged, but usually will have an error code. There are many possible errors, but fewer probable ones. Not all authentication types can produce all codes. Some are:
|
version | see the introduction for an explanation.
The version documented here has the value |
workstation | the claimed name of the client workstation. |
Authorization
nothing yet here.
dsdbChange
nothing here either.