Audit User Login on Server 2008.
-
I have security audtiting turned on in group policy. I would just like an easy way with out signing up with a company to download their software to view historical data of when Domain Users logged on to a desktop on a Server 2008 system. I have a powershell script that works great on Windows 7 boxes that grabs system event 7001 for user logon, but when i run it against a server it comes up empty. Does anyone have any tools for something like this?
-
Do you see those audits in the servers logs when you look manually?
-
I see the events, but there are a ton. Every security check is logged for the entire system. I am looking for User logged in at a terminal or RDP Date/Time and done. Just looking at security logs has multiple logs per minute for every security check happening on an active server.
-
wow, sounds like logging overload....
I just wanted to make sure that you could actually see the events in question in the server logs before saying your tool (script) didn't work.
Where are you running the script? from the server in question, or remotely?
-
@Dashrender Either way, remotely would be nice.
-
when you look in the logs on the server, are they they same event ID's as you see on the Windows 7 machines for logons?
If they are and if when running the script locally on that same server, I'd say your script is broke or MS has a different location your script needs to look than on Windows 7.
-
@Dashrender Right, on Windows 7 there is a System Event, and a Security Event. Windows Server 2008 does not have the same System event that I can see.
-
@s.hackleman said:
@Dashrender Right, on Windows 7 there is a System Event, and a Security Event. Windows Server 2008 does not have the same System event that I can see.
But did you find the Security event in the logs on the 2008 server manually? once you do that will tell you the correct Event ID and you can adjust your scripts.
If you don't see the Events in the logs when you look manually, then you have to fix that first.
-
@Dashrender I get that. The problem is when I look at the raw Security Events there are too many to filter though because every single security check on the server makes a logon event, not just a terminal Login. In Windows 7, there is the nice logon event in System Event. I don't see anything that nice and pretty in Server 2008, that is why I am asking for a better way to do it.
-
@s.hackleman said:
@Dashrender I get that. The problem is when I look at the raw Security Events there are too many to filter though because every single security check on the server makes a logon event, not just a terminal Login. In Windows 7, there is the nice logon event in System Event. I don't see anything that nice and pretty in Server 2008, that is why I am asking for a better way to do it.
You can apply a filter in event viewer
https://technet.microsoft.com/en-us/library/cc722058.aspx -
@thecreativeone91 said:
@s.hackleman said:
@Dashrender I get that. The problem is when I look at the raw Security Events there are too many to filter though because every single security check on the server makes a logon event, not just a terminal Login. In Windows 7, there is the nice logon event in System Event. I don't see anything that nice and pretty in Server 2008, that is why I am asking for a better way to do it.
You can apply a filter in event viewer
https://technet.microsoft.com/en-us/library/cc722058.aspxWhat can I filter on to only show terminal logons?
-
528 for successful log-on, type 10 is Remote Interactive
-
@thecreativeone91 said:
528 for successful log-on, type 10 is Remote Interactive
This is Server 2008. http://windowsitpro.com/systems-management/q-how-can-i-find-windows-server-2008-event-ids-correspond-windows-server-2003-eve
Not Seeing how to filter on Type.
-
It's still Type 10 for Remote on 4624. You have to edit the xml
-
Figured it out!
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624)]
and
EventData[Data[@Name='LogonType'] and (Data='10')]]
</Select>
</Query>
</QueryList>Thanks to : http://serverfault.com/questions/571732/filtering-security-logs-by-user-and-logon-type
