NTLast v3.0 FAQs

0.0	Definitions and Information 
            
	0.1 What is NTLast
	0.2 What is the difference between NTLast and using the Event Viewer or the SECURITY LOG 
	0.3 What is the difference between v1.5 and 3.0?
	


1.0 Auditing and Running ... 

	1.1 How do I get NTLast to run?
	1.2 What about Auditing remote machines?
	1.3 I want to get more than 10 records


2.0  Troubleshooting

	2.1 NTLast looks like it isn't working!
	2.2 NTLast is not showing any records?
	2.3 I am getting nothing but blank lines?
	2.4 NTLast is not showing any recent records?
 


0.0 Definitions and Information

0.1 What is NTLast?

	NTLast is a command line utility that is used to quickly scan the NT event log and report logon/logoff activity. It 
        is very useful because it isolates security specific events so that you don't have to spend time looking for them. 
        NTLast can get you the answers you need fast.

0.2 What is the difference between NTLast and using the Event Viewer or the SECURITY LOG?

	NTLast's sole purpose is to read, analyze and filter the security log. (So it must already contain entries to work) 
        While the event viewer also does this, I created NTLast to suit my needs as a security guy. I feel it does a better 
        job in this area. I made it so that it	helps me easily see things that event viewer does not. (Such as user time
	frames and sniffed passwords)

	NTLast is a very simple program to run, however, you do need to know what it
	is that you are looking at for it to really work for you.

0.3 What is the difference between NTLastv1.5 and version 3.0?

	NTLast version 2.0 offers more advanced and useful auditing features. It has also been tailored to better suit 
        administrators of IIS 4.0 machines. Version 3.0 makes it much easier to sift through the logon data of busy web 
        servers.

	The biggest difference is that is allows you to track individual user logon activity.

	Who is trying to get into my machine?

	Just use the /f switch to see who is guessing your passwords and user names.



 
1.0 Auditing and Running...

1.1 How do I get NTLast to run?

	First you must make sure that auditing is turned on. You do this by going to UserManager and under auditing, select 
        both logon/logoff options. Then, just run the command 'ntlast' for a command prompt

1.2 What about Auditing remote machines?

	Just use the /m switch to designate which machine you want to audit. Example, ntlast /m myserver

1.3 I want to get more than 10 records

	Just use the /n switch with the number you do want. Example, ntlast /n 75 You can find it at this site, and also 
        at NTSecurity.net. They have been kind enough to post it as well.



2.0 Troubleshooting

2.1 NTLast looks like it isn't working!

	The most probably reason is that you have not turned on auditing in the event log. This is done through UserManager.

2.2 NTLast is not showing any records?

	Either you have not turned on auditing in the event log, or there are no records. This is if someone has cleared the 
        log, or in the case of a new machine or.

2.3 I am getting nothing but blank lines?

	The blank lines represent NULL logon sessions. These are usually the result of normal NT server activity. 99% of the 
        time this is the case. However, it is possible that this represents an anonymous hacker logon. 

2.4 NTLast is not showing any recent records?

	This is very possibly due to the fact that your event log stopped recording events sometime back because it was full. This will mean that no new records are recorded, so only old information will show up in NTLast. This makes it appear like it is not working correctly.
