Re: Windows Log

I'm not a expert but couldn't you script something to run everytime
(HKLM...Run or throught LoginScripts) a user logged into a machine to
output the username and machine to a SQL DB or the like...just an
idea. Not sure how big your org is but even a text file something like

echo %username% >> \\UNCPATHTOASERVER\\logininfo.txt
hostname >> \\UNCPATHTOASERVER\\logininfo.txt

This is pretty basic but you get the idea


Ryan




On 1/19/06, Nick Duda <nduda@xxxxxxxxxxxxxx> wrote:
>
> To continue this topic, I'm faced with the same thing....
>
> The problem is that with all these event id's 672, 673, 540...etc there is still no positive way to say , when a user logged on (via cntrl,alt delete) and logged off, as in shutdown or log off.
>
> My goal, is to use syslog or some other form of monitoring to keep records of each employees logon/logoff of a PC physically on the network. I've been knee deep into all these event id's and nothing is accurate.
>
> Please help.
>
> -----Original Message-----
> From: List Spam [mailto:listspam@xxxxxxxxx]
> Sent: Tuesday, January 17, 2006 10:08 AM
> To: security-basics@xxxxxxxxxxxxxxxxx
> Subject: Re: Windows Log
>
> There are many types of logins that can be performed in an an AD
> environment. Among these are full desktop logins by a user (aka
> interactive login), non-interactive network logins (e.g. mount a
> share), computer accounts authenticating to the domain, etc.
>
> I would venture a guess that you don't want to disallow the ability to
> log other security events, but want to easily find login events of
> some type (see above) without having to wade through the full set of
> logged data. If this is the case, you could simply filter the logs to
> show the event id that is specific to the action you are looking to
> see.
>
> You could use the built-in "Event Viewer" application for it,
> EventCombMT (Google it), one of the resource kit log dumping
> utilitities, VBScripts, or just about anything else to export this
> info. Some VBScript examples are below:
>
> http://www.microsoft.com/technet/scriptcenter/scripts/logs/eventlog/defaultmspx
>
> I dare say that if you're trying to audit security on a box, you don't
> want to hack up the data collection facility, but want to simply get
> better use from that data.
>
> My two cetns.
>
> On 1/16/06, Rod <rod.rio@xxxxxxxxx> wrote:
> > Hi all,
> >
> > I have a Win2k Server, who is my Domain Controller, and I'd like it to
> > log only the LOGON/LOGOFF events. I know that there are a whole class
> > of logon/logoff events, but I´d like to log only when a user logon
> > into a machine in the domain.
> >
> > Hope I was clear... thx
> >
> >
> > --
> > Rodrigo M. T. Fernandez
> > Departamento de Ciência da Computação UFRJ
> > Grupo de Respostas a Incidentes de Segurança - GRIS UFRJ
> > www.dcc.ufrj.br | www.gris.dcc.ufrj.br
> >
> > ---------------------------------------------------------------------------
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > The Norwich University program offers unparalleled Infosec management
> > education and the case study affords you unmatched consulting experience.
> > Tailor your education to your own professional goals with degree
> > customizations including Emergency Management, Business Continuity Planning,
> > Computer Emergency Response Teams, and Digital Investigations.
> >
> > http://www.msia.norwich.edu/secfocus
> > ----------------------------------------------------------------------------
> >
> >
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity Planning,
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------------
>
>
>
>
> ---------------------
> Confidentiality note:
> The information in this email and any attachment may contain
> confidential and proprietary information of VistaPrint and/or
> its affiliates and may be privileged or otherwise protected
> from disclosure. If you are not the intended recipient,
> you are hereby notified that any review, reliance or distribution
> by others or forwarding without express permission is strictly
> prohibited and may cause liability. In case you have received this
> message due to an error in transmission, please notify the sender
> immediately and to delete this email and any attachment from your
> system.
> ---------------------
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity Planning,
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>
>

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------