Identify Successful Authentication Events in IIS

Question

I have to find out all logs from IIS log files where we have Authentication Successful messages. Now I know that status code 200 is for a success message but this code can be returned for any request raised by client. How can I identify Authentication successful (in my case Windows Authentication to be more specific) events from log files?

Answer 1

IIS access logs won't have successful authentication events, it only logs URL requests, and the account that did the request (if authenticated).

For authentication events for windows authentication, you need to open the "Local Security Policy" snap-in (secpol.msc) on the local computer or by using Group Policy.

Then, go to the Security Settings\Advanced Audit Policy Configuration tree, and in the Logon/Logoff section, configure the Success audit event of "Audit Logon".

More information in Microsoft docs.

Once done, you'll start receiving events in the Windows event viewer, under Windows Logs\Security. They'll appear as event id 4624. Note that this event will appear only when the user is accessing the web application from a different computer. Opening the browser on localhost won't generate that event if the user is logged-in already, which happens when using Internet Explorer.

Answer 2

For Windows authentication, you have to correlate Windows logon audit in system event log and IIS log files. No easy way to get what you want.

https://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx