pzozulka
asked on
Event Log - User Logon/Logoff monitor
Hello Experts,
I am looking for "custom" ideas on how to centrally monitor user logon/logoff activity. Found some software out there that can monitor these things, but nothing out there to do exactly what we need.
EXACTLY what we need:
Monitor workstations in domain and record Logon/Logoff activity.
(Already have GPO settings for this: "Audit account logon events", "audit logon events")
Need to pull this info from workstations to central server. This is easily done manually, by going to the Event Log on Server and "Connect to remote machine", then pull the logs.
However, I need to pull only certain logs (Logon/Logoff) from workstation, AND I need this to be an automated process.
Can this be done? If so, how?
Any ideas?
Thanks.
I am looking for "custom" ideas on how to centrally monitor user logon/logoff activity. Found some software out there that can monitor these things, but nothing out there to do exactly what we need.
EXACTLY what we need:
Monitor workstations in domain and record Logon/Logoff activity.
(Already have GPO settings for this: "Audit account logon events", "audit logon events")
Need to pull this info from workstations to central server. This is easily done manually, by going to the Event Log on Server and "Connect to remote machine", then pull the logs.
However, I need to pull only certain logs (Logon/Logoff) from workstation, AND I need this to be an automated process.
Can this be done? If so, how?
Any ideas?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
use INTO clause to redirect the output to a file or other ODBC data source. the output format is specified by -o: clause.
logparser "SELECT ComputerName, TimeGenerated AS LogonTime, STRCAT(STRCAT(EXTRACT_TOKE N (Strings, 1, '|'), '\\'), EXTRACT_TOKEN(Strings, 0, '|')) AS Username INTO XXXX FROM \\SERVERNAME\Security WHERE EventID IN (552; 528)'" -i:EVT -o:SQL
where XXXX is the output.
NOTE: you must make sure your SQL server ODBC driver and target data source ready on the computer running Log Parser.
hope it helps,
bbao
logparser "SELECT ComputerName, TimeGenerated AS LogonTime, STRCAT(STRCAT(EXTRACT_TOKE
where XXXX is the output.
NOTE: you must make sure your SQL server ODBC driver and target data source ready on the computer running Log Parser.
hope it helps,
bbao
ASKER
Thanks man, you're a life saver.
glad to help. :-)
@bbao:, I'm having an issue with the syntax. I need to find out the user's logoff activities. Please help! Thank you...
ASKER
LogParser "SELECT TimeGenerated, SourceName, EventCategoryName, EventID, ComputerName, SID, Message INTO report.txt FROM Security WHERE (EventID = 528 OR EventID = 551) AND SID = 'BCR\PavelZ'" -resolveSIDs:ON -o:CSV
I would like to omit the message but there is one thing in there that I really need, the "Login Type".
Here are the "message" portion of that script:
"Successful Logon: User Name: PavelZ Domain: BCR Logon ID: (0x0,0x158500) Logon Type: 11 Logon Process: User32 Authentication Package: Negotiate Workstation Name: WS100607 Logon GUID:
Notice the (Logon Type: 11), do you know of a command line switch to get that field, so that I can omit that entire message?
Another question is, is there a way to Output to and SQL DB, I saw that as one of the Output Switches, but not sure how to use it. If you have a sample, that would be awesome.
Thanks so much!