Re: Record User Logon/Logoff with Computer Name + Username
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 21 Feb 2006 13:48:13 -0600
Your experience is pretty much the way it is. Logon events will be
particularly numerous for a domain controllers as users and computers access
sysvol, etc. Your boss may need to evaluate again exactly what he needs and
the time he is willing to invest in it. While auditing logon successes can
be helpful often it is the logon failures that give more valuable
information from a security perspective. You may find the free tool Event
Comb helpful from Microsoft in looking for specific events and text strings
and also take a look at third party programs that help make more sense of
the security logs such as the one from the Languard folks called SELM that
you can try for free. --- Steve
http://www.gfi.com/lanselm/ --- SELM
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/smpgch02.mspx
--- info on auditing including link to Event Comb.
"mem0ri" <mem0ri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A93BD4B2-F273-47C6-BBF1-0709CFF6CF8F@xxxxxxxxxxxxxxxx
We're running a Windows 2000 server to which many workstations logon
throughout the day. The boss would like a record of all remote access
successes with a record of the a)incoming computer name, b)username
c)logon
time and logoff time.
I have been attempting to run a record through the Event Viewer and have:
1)Been able to successfully record "Account Logon Events" (672) but these
only give me the username that logged on and the time of initial logon.
Additionally, to get the information I have to look at the "properties" of
each event...as the user is inherently "SYSTEM" when listed in the main
Event
Log.
This Method is missing: Incoming Computer Name, Logoff Time.
2)Been able to successfully record network Logon/Logoff events (540, 538),
though these occur in the thousands (yesterday there were about 18000 of
these events) and provide me with virtually no useful information (a
logoff
occurs virtually simultaneously with a logon when you compare ticket ids).
Additionally, though a username is recorded...there is no computer name or
reliable way to track times.
It is my understanding that the Security Event Viewer is meant to record
things like Account Logons and Logoffs...but nothing seems to be working.
For a short while, I managed to get 682/683 events whenever we tested a
VPN
access...though those events aren't directly related to a remote access,
they
did record a username and computer name and time of logon. However...it
seems getting these events to show up was more of an accident than an
actual
recurring and reliable event.
I am desperate for help. Answer needed:
1)Username and Computer logged on and Time
2)Username and Computer logged off and Time
That's all I need. Can it really be that difficult...heh...(it apparently
is for me...)
.
- Prev by Date: RE: Integrate XP Windows firewall in a W2k domain #4
- Next by Date: Re: regarding directory services
- Previous by thread: Re: Record User Logon/Logoff with Computer Name + Username
- Next by thread: Re: active directory service
- Index(es):
Relevant Pages
|
