What do you do to audit logon/logoff
-
Branch manager just emailed to ask about logon/logoff times of a user.
As this client had never requested any monitoring before, there is nothing setup to do this.
Obviously, I can pull some information from the event log.
What tools do you all use after the fact. Then, if this become an ongoing need, what tools do you guys use for monitoring?
-
@JaredBusch if it's a Windows domain, the DC should have an event logged in the security log. I believe it is event ID 4624.
-
4624 for logons, but logging off can be problematic, since a computer can become disconnected from the network or turned off abruptly. With that said, the logoff event is 4647.
I would enable logon auditing at the workstation level as well. You should be able to track a user pretty well if you need to.
Here's a great reference card that you can keep handy to help you track logon/logoff auditing: https://www.ultimatewindowssecurity.com/securitylog/quickref/default.aspx
-
We have successful logins and failed audited at the workstation level.. we don't do logoffs though as we just uses it for security purposes as it generates email alerts on failed attempts. But if you want to actually know who's using it you would want logoff's audited as well.
might be worth checking when files were modified in a user account on the computer, might at least give them some clues.
-
Looking at the RDS server, I have logon/logoff information in the event viewer.
I made a custom view to see what a user has and it looks like only today info is available.
https://i.imgur.com/wtVQxk5.jpgAnyway to have the system save stuff daily? Preferably only the custom view?
-
You can go into your filter's properties, look at the XML, then save it and use it in a PowerShell script (this is really basic - and I've not tested it):
$DateAfter = get-date((get-date).adddays(-1)) -format s #Get 1 day ago... $QueryList = "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[(EventID='4624') and TimeCreated[@SystemTime>='$DateAfter']]] </Select></Query></QueryList>" Get-WinEvent -FilterXml $QueryList
-
@Rob-Dunn said:
You can go into your filter's properties, look at the XML, then save it and use it in a PowerShell script (this is really basic - and I've not tested it):
Thanks, testing it. and btw, for markdown, you notate a code block with three backticks ` to open and close the block. or for a simple one liner, you can put 4 spaces in front of the line.
-
So this worked..
$SomeUser = "username" $QueryList = "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[EventData[Data[@Name='TargetUserName'] and (Data='$SomeUser')]] and *[System[(EventID=4624 or EventID=4647)]]</Select></Query></QueryList>" Get-WinEvent -FilterXml $QueryList
resulting in
TimeCreated ProviderName Id Message ----------- ------------ -- ------- 12/21/2015 7:59:38 AM Microsoft-Windows-Security... 4624 An account was successfull... 12/21/2015 7:59:37 AM Microsoft-Windows-Security... 4624 An account was successfull... 12/21/2015 7:59:34 AM Microsoft-Windows-Security... 4624 An account was successfull... 12/21/2015 7:59:34 AM Microsoft-Windows-Security... 4624 An account was successfull...
-
now to go lookup some of @Rob-Dunn's other work to make it email..
-
@JaredBusch
Got it!Thanks man
-
Nice! I just came off of working on an Event Log audit script that takes in some parameters and returns results from all my domain controllers. I'll share it here when done - so far that I've seen, it returns results fairly quickly (querying multiple DCs at once). Using Get-WinEvent with an XML or hash filter is super fast!
-
Not sure if this is helpful to you,
https://technet.microsoft.com/en-us/library/dd378867(v=ws.10).aspx
Import-Module ActiveDirectory function Get-ADUserLastLogon([string]$userName) { $dcs = Get-ADDomainController -Filter {Name -like "*"} $time = 0 foreach($dc in $dcs) { $hostname = $dc.HostName $user = Get-ADUser $userName | Get-ADObject -Properties lastLogon if($user.LastLogon -gt $time) { $time = $user.LastLogon } } $dt = [DateTime]::FromFileTime($time) Write-Host $username "last logged on at:" $dt } Get-ADUserLastLogon -UserName type-username-here