shu-tom
commented
5 years ago Audit policy change status is stored as different data. This issue may be another issue. https://github.com/JPCERTCC/LogonTracer/blob/49d5345f57a3df9e0d7c645a9ea015311f244e46/logontracer.py#L721
Can you share the event log to me in order to resolve this issue? If you can share it please send to logontracer.help (at) gmail.com
As stated in the title, the audit policy change does not do anything and returns a warning that the search has failed. I looked through some of the source code and see that you only put [4776, 4768, 4769, 4624, 4625] into the data_array therefore the 4719 event code is not being parsed and added to the database. I also looked inside of the database and found no count4719 which further adds on to the issue. I'm sure this is a quick fix but I have little experience with dockers and how they operate therefore I do not know if the changes i make to the logontracer.py file will hold when I init the docker.