girbot
asked on
SBS2003: How to record and monitor login information?
Hi,
Does anyone know of a way to record/montior login history on a sbs2003 domain? I use untangle/ntop for web usage so that is not what I am after. ISA is not available either.
I am anticipating a query from the CEO asking for the times that people log on and off....
No VPN access, only local.
Thanks :D
Does anyone know of a way to record/montior login history on a sbs2003 domain? I use untangle/ntop for web usage so that is not what I am after. ISA is not available either.
I am anticipating a query from the CEO asking for the times that people log on and off....
No VPN access, only local.
Thanks :D
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The login script looks the most usable, I will have to look at it when I am back in the office tomorrow. Thanks so far...
ASKER
Actually I need some help with the below (I've only used login scripts for network shares previously).
What log files is the script looking for, or do I manually create the log folders and change the address in the script to suit?
Security logging is running under event viewer...
:Logging
If Exist "\\ServerName\Logs\LogOns. Log" GoTo START
Echo Log File > "\\ServerName\Temp\Logs\Lo gOns.Log"
:START
Echo Log On: %USERNAME% %COMPUTERNAME% %Date:~0,12% %Time:~0,5% >> "\\ServerName\Temp\Logs\Lo gOns.Log"
netstat -an |find "3389" |find /I "established" >> "\\ServerName\Temp\Logs\Lo gOns.Log"
Echo. >> "\\ServerName\Temp\Logs\Lo gOns.Log"
What log files is the script looking for, or do I manually create the log folders and change the address in the script to suit?
Security logging is running under event viewer...
:Logging
If Exist "\\ServerName\Logs\LogOns.
Echo Log File > "\\ServerName\Temp\Logs\Lo
:START
Echo Log On: %USERNAME% %COMPUTERNAME% %Date:~0,12% %Time:~0,5% >> "\\ServerName\Temp\Logs\Lo
netstat -an |find "3389" |find /I "established" >> "\\ServerName\Temp\Logs\Lo
Echo. >> "\\ServerName\Temp\Logs\Lo
ASKER
Ok I am trying to use the vbs script below (taken from - https://www.experts-exchange.com/questions/22127291/What-is-the-easy-way-to-audit-and-report-user-login-logout-event.html), it runs and creates the .txt however nothing is written. All I get is a series of Windows Script Host Pop-ups saying either "NT AUTHORITY\SYSTEM should be equivalent to one of the defined users", as well as some users I have included in the script....
Any ideas?
Any ideas?
Dim objFSO, objFolder, objFile, objWMI, objItem ' Objects
Dim strComputer, strFileName, objOutput, strFolder, strPath
Dim intEvent, intRecordNum, colLoggedEvents
Dim arrIDs
arrUsers = "DOMAIN\user1, DOMAIN\user2, DOMAIN\user3" 'lowercase for comparisons
arrIDs = Array("528", "540", "529", "531", "539", "530", "532", "535", "533")
strComputer = "."
strFileName = "\audituser" & Month(Date) & Day(Date) & Year(Date) & ".txt"
strFolder = "D:\Audituser\Logs"
strPath = strFolder & strFileName
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FolderExists(strFolder) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFolder = objFSO.CreateFolder(strFolder)
End If
If objFSO.FileExists(strFolder & strFileName) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFile = objFSO.CreateTextFile(strFolder & strFileName)
End If
Set objFile = Nothing
Set objFolder = Nothing
Set objOutput = objFSO.CreateTextFile(strPath, True)
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security'")
For Each objItem In colLoggedEvents
intId = Filter(arrIDs, objItem.EventCode)
If UBound(intId) >= 0 Then
wscript.echo objItem.User & " should be equivalent to one of the defined users"
If InStr(arrUsers, lcase(objItem.User)) > 0 Then
If UBound(intUser) >= 0 Then
objOutput.WriteLine ("Category: " & objItem.Category _
& " string " & objItem.CategoryString)
objOutput.WriteLine ("ComputerName: " & objItem.ComputerName)
objOutput.WriteLine ("Logfile: " & objItem.Logfile _
& " source " & objItem.SourceName)
objOutput.WriteLine ("EventCode: " & objItem.EventCode)
objOutput.WriteLine ("EventType: " & objItem.EventType)
objOutput.WriteLine ("Type: " & objItem.Type)
objOutput.WriteLine ("User: " & objItem.User)
objOutput.WriteLine ("Message: " & objItem.Message)
objOutput.WriteLine
End If
End If
End If
Next
WScript.Quit
I would post this in the VBS scripting, as well as the MSDOS TAs for a better response since this is now a scripting issue.
I hope this helps !
I hope this helps !
ASKER
Ok, thanks for pointing me in the right direction and your help previously.
I hope this helps !