ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    What do you do to audit logon/logoff

    Scheduled Pinned Locked Moved IT Discussion
    auditusers
    12 Posts 5 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Rob DunnR
      Rob Dunn
      last edited by

      4624 for logons, but logging off can be problematic, since a computer can become disconnected from the network or turned off abruptly. With that said, the logoff event is 4647.

      I would enable logon auditing at the workstation level as well. You should be able to track a user pretty well if you need to.

      Here's a great reference card that you can keep handy to help you track logon/logoff auditing: https://www.ultimatewindowssecurity.com/securitylog/quickref/default.aspx

      1 Reply Last reply Reply Quote 3
      • J
        Jason Banned
        last edited by

        We have successful logins and failed audited at the workstation level.. we don't do logoffs though as we just uses it for security purposes as it generates email alerts on failed attempts. But if you want to actually know who's using it you would want logoff's audited as well.

        might be worth checking when files were modified in a user account on the computer, might at least give them some clues.

        1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch
          last edited by JaredBusch

          Looking at the RDS server, I have logon/logoff information in the event viewer.

          I made a custom view to see what a user has and it looks like only today info is available.
          wtVQxk5.jpg

          Anyway to have the system save stuff daily? Preferably only the custom view?

          JlAf1XP.jpg

          1 Reply Last reply Reply Quote 0
          • Rob DunnR
            Rob Dunn
            last edited by Rob Dunn

            You can go into your filter's properties, look at the XML, then save it and use it in a PowerShell script (this is really basic - and I've not tested it):

            $DateAfter = get-date((get-date).adddays(-1)) -format s #Get 1 day ago...
            
            $QueryList = "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[(EventID='4624') and TimeCreated[@SystemTime&gt;='$DateAfter']]] </Select></Query></QueryList>"
            
            Get-WinEvent -FilterXml $QueryList
            
            JaredBuschJ 1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @Rob Dunn
              last edited by JaredBusch

              @Rob-Dunn said:

              You can go into your filter's properties, look at the XML, then save it and use it in a PowerShell script (this is really basic - and I've not tested it):

              Thanks, testing it. and btw, for markdown, you notate a code block with three backticks ` to open and close the block. or for a simple one liner, you can put 4 spaces in front of the line.

              Rob DunnR 1 Reply Last reply Reply Quote 1
              • JaredBuschJ
                JaredBusch
                last edited by

                So this worked..

                $SomeUser = "username"
                
                $QueryList = "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[EventData[Data[@Name='TargetUserName'] and (Data='$SomeUser')]] and *[System[(EventID=4624 or EventID=4647)]]</Select></Query></QueryList>"
                
                Get-WinEvent -FilterXml $QueryList
                

                resulting in

                TimeCreated                   ProviderName                                             Id Message
                -----------                   ------------                                             -- -------
                12/21/2015 7:59:38 AM         Microsoft-Windows-Security...                          4624 An account was successfull...
                12/21/2015 7:59:37 AM         Microsoft-Windows-Security...                          4624 An account was successfull...
                12/21/2015 7:59:34 AM         Microsoft-Windows-Security...                          4624 An account was successfull...
                12/21/2015 7:59:34 AM         Microsoft-Windows-Security...                          4624 An account was successfull...
                
                JaredBuschJ 1 Reply Last reply Reply Quote 1
                • JaredBuschJ
                  JaredBusch @JaredBusch
                  last edited by

                  now to go lookup some of @Rob-Dunn's other work to make it email..

                  1 Reply Last reply Reply Quote 0
                  • Rob DunnR
                    Rob Dunn @JaredBusch
                    last edited by

                    @JaredBusch
                    Got it!

                    Thanks man 🙂

                    1 Reply Last reply Reply Quote 0
                    • Rob DunnR
                      Rob Dunn
                      last edited by

                      Nice! I just came off of working on an Event Log audit script that takes in some parameters and returns results from all my domain controllers. I'll share it here when done - so far that I've seen, it returns results fairly quickly (querying multiple DCs at once). Using Get-WinEvent with an XML or hash filter is super fast!

                      1 Reply Last reply Reply Quote 1
                      • DashrenderD
                        Dashrender
                        last edited by

                        Not sure if this is helpful to you,

                        https://technet.microsoft.com/en-us/library/dd378867(v=ws.10).aspx

                         Import-Module ActiveDirectory
                         
                         function Get-ADUserLastLogon([string]$userName)
                         {
                           $dcs = Get-ADDomainController -Filter {Name -like "*"}
                           $time = 0
                           foreach($dc in $dcs)
                           { 
                             $hostname = $dc.HostName
                             $user = Get-ADUser $userName | Get-ADObject -Properties lastLogon 
                             if($user.LastLogon -gt $time) 
                             {
                               $time = $user.LastLogon
                             }
                           }
                           $dt = [DateTime]::FromFileTime($time)
                           Write-Host $username "last logged on at:" $dt }
                         
                         Get-ADUserLastLogon -UserName type-username-here
                        
                        1 Reply Last reply Reply Quote 0
                        • 1 / 1
                        • First post
                          Last post