Schannel event logging for TLS versions

  • 198 Views
  • Last Post 27 March 2019
BrianB posted this 25 March 2019

P {margin-top:0;margin-bottom:0;}

All:


I need to spot check tls connections that are coming into our DC from clients. This is a best effort exercise. I know how to turn on the schannel logging and that it requires a reboot. But, can the logging levels be changed  between 0 and 7 without have to reboot once the key is created?


Brian Britt 

Order By: Standard | Newest | Votes
phowell posted this 25 March 2019

In my recent experience, you do have to reboot the box after making changes to the key to get the additional logging levels.

My advice is to go directly to 7 and take the bounce during a maintenance window and it should get you what you need.  We tried the lower values but it wasn’t until combining all of the logging levels that it became truly useful for troubleshooting.


-Phil

On Mar 25, 2019, at 8:21 AM, Brian Britt <brianbritt@xxxxxxxxxxxxxxxx> wrote:

All:


I need to spot check tls connections that are coming into our DC from clients. This is a best effort exercise. I know how to turn on the schannel logging and that it requires a reboot. But, can the logging levels be changed  between 0 and 7 without have to reboot once the key is created?


Brian Britt 

BrianB posted this 25 March 2019

P {margin-top:0;margin-bottom:0;}







Phil,








So if I want to change the logging level back to 0 after my spot check, it requires another reboot?








Brian Britt













show

michael1 posted this 25 March 2019

I can answer that one – yes. (I’ve never tried to change to anything but 0 and 7.)

 

Couldn’t you do this with Wireshark? Or netmon?



 



Thanks.

 

Regards,

Michael B.



 

show

phowell posted this 25 March 2019

The additional schannel logging is good to have in addition to packet capture data.




For example, my recent case was figuring out cipher config issues on some workstations that had a botched deployment and we’re missing some required ciphers.  Pocket captures gave us some hints but schannel logging helped narrow down the exact issues.





-Phil




 




On Mar 25, 2019, at 1:43 PM, Michael B. Smith <michael@xxxxxxxxxxxxxxxx> wrote:













I can answer that one – yes. (I’ve never tried to change to anything but 0 and 7.)

 

Couldn’t you do this with Wireshark? Or netmon?



 



Thanks.

 

Regards,

Michael B.



 

show

BrianB posted this 27 March 2019

P {margin-top:0;margin-bottom:0;}







Yes you can achieve a similar result with a network tool, but that can be a little cumbersome. If Schannel logging is enabled, then I can have logs that would be easier to read and filter. IMO. 








Brian Britt













show

Close