Audit User Login on Server 2008.
-
wow, sounds like logging overload....
I just wanted to make sure that you could actually see the events in question in the server logs before saying your tool (script) didn't work.
Where are you running the script? from the server in question, or remotely?
-
@Dashrender Either way, remotely would be nice.
-
when you look in the logs on the server, are they they same event ID's as you see on the Windows 7 machines for logons?
If they are and if when running the script locally on that same server, I'd say your script is broke or MS has a different location your script needs to look than on Windows 7.
-
@Dashrender Right, on Windows 7 there is a System Event, and a Security Event. Windows Server 2008 does not have the same System event that I can see.
-
@s.hackleman said:
@Dashrender Right, on Windows 7 there is a System Event, and a Security Event. Windows Server 2008 does not have the same System event that I can see.
But did you find the Security event in the logs on the 2008 server manually? once you do that will tell you the correct Event ID and you can adjust your scripts.
If you don't see the Events in the logs when you look manually, then you have to fix that first.
-
@Dashrender I get that. The problem is when I look at the raw Security Events there are too many to filter though because every single security check on the server makes a logon event, not just a terminal Login. In Windows 7, there is the nice logon event in System Event. I don't see anything that nice and pretty in Server 2008, that is why I am asking for a better way to do it.
-
@s.hackleman said:
@Dashrender I get that. The problem is when I look at the raw Security Events there are too many to filter though because every single security check on the server makes a logon event, not just a terminal Login. In Windows 7, there is the nice logon event in System Event. I don't see anything that nice and pretty in Server 2008, that is why I am asking for a better way to do it.
You can apply a filter in event viewer
https://technet.microsoft.com/en-us/library/cc722058.aspx -
@thecreativeone91 said:
@s.hackleman said:
@Dashrender I get that. The problem is when I look at the raw Security Events there are too many to filter though because every single security check on the server makes a logon event, not just a terminal Login. In Windows 7, there is the nice logon event in System Event. I don't see anything that nice and pretty in Server 2008, that is why I am asking for a better way to do it.
You can apply a filter in event viewer
https://technet.microsoft.com/en-us/library/cc722058.aspxWhat can I filter on to only show terminal logons?
-
528 for successful log-on, type 10 is Remote Interactive
-
@thecreativeone91 said:
528 for successful log-on, type 10 is Remote Interactive
This is Server 2008. http://windowsitpro.com/systems-management/q-how-can-i-find-windows-server-2008-event-ids-correspond-windows-server-2003-eve
Not Seeing how to filter on Type.
-
It's still Type 10 for Remote on 4624. You have to edit the xml
-
Figured it out!
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624)]
and
EventData[Data[@Name='LogonType'] and (Data='10')]]
</Select>
</Query>
</QueryList>Thanks to : http://serverfault.com/questions/571732/filtering-security-logs-by-user-and-logon-type