Link to home
Start Free TrialLog in
Avatar of girbot
girbot

asked on

SBS2003: How to record and monitor login information?

Hi,

Does anyone know of a way to record/montior login history on a sbs2003 domain? I use untangle/ntop for web usage so that is not what I am after. ISA is not available either.

I am anticipating a query from the CEO asking for the times that people log on and off....

No VPN access, only local.

Thanks :D
Avatar of SysExpert
SysExpert
Flag of Israel image

Turn on security auditing, and it will show up in the security Event log.


I hope this helps !
ASKER CERTIFIED SOLUTION
Avatar of SysExpert
SysExpert
Flag of Israel image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of girbot
girbot

ASKER

The login script looks the most usable, I will have to look at it when I am back in the office tomorrow. Thanks so far...
Avatar of girbot

ASKER

Actually I need some help with the below (I've only used login scripts for network shares previously).

What log files is the script looking for, or do I manually create the log folders and change the address in the script to suit?

Security logging is running under event viewer...

:Logging
If Exist "\\ServerName\Logs\LogOns.Log" GoTo START
Echo Log File > "\\ServerName\Temp\Logs\LogOns.Log"
:START
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,12%  %Time:~0,5% >> "\\ServerName\Temp\Logs\LogOns.Log"
netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\ServerName\Temp\Logs\LogOns.Log"
Echo.  >> "\\ServerName\Temp\Logs\LogOns.Log"
Avatar of girbot

ASKER

Ok I am trying to use the vbs script below (taken from - https://www.experts-exchange.com/questions/22127291/What-is-the-easy-way-to-audit-and-report-user-login-logout-event.html), it runs and creates the .txt however nothing is written. All I get is a series of Windows Script Host Pop-ups saying either "NT AUTHORITY\SYSTEM should be equivalent to one of the defined users", as well as some users I have included in the script....

Any ideas?





Dim objFSO, objFolder, objFile, objWMI, objItem ' Objects
Dim strComputer, strFileName, objOutput, strFolder, strPath
Dim intEvent, intRecordNum, colLoggedEvents
Dim arrIDs
 
arrUsers = "DOMAIN\user1, DOMAIN\user2, DOMAIN\user3" 'lowercase for comparisons
arrIDs = Array("528", "540", "529", "531", "539", "530", "532", "535", "533")
 
strComputer = "."
strFileName = "\audituser" & Month(Date) & Day(Date) & Year(Date) & ".txt"
strFolder = "D:\Audituser\Logs"
strPath = strFolder & strFileName
 
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FolderExists(strFolder) Then
  Set objFolder = objFSO.GetFolder(strFolder)
Else
  Set objFolder = objFSO.CreateFolder(strFolder)
End If
If objFSO.FileExists(strFolder & strFileName) Then
  Set objFolder = objFSO.GetFolder(strFolder)
Else
  Set objFile = objFSO.CreateTextFile(strFolder & strFileName)
End If
 
Set objFile = Nothing
Set objFolder = Nothing
Set objOutput = objFSO.CreateTextFile(strPath, True)
 
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" _
  & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security'")
 
For Each objItem In colLoggedEvents
  intId = Filter(arrIDs, objItem.EventCode)
  If UBound(intId) >= 0 Then
      wscript.echo objItem.User & " should be equivalent to one of the defined users"
      If InStr(arrUsers, lcase(objItem.User)) > 0 Then
        If UBound(intUser) >= 0 Then
            objOutput.WriteLine ("Category: " & objItem.Category _
              & " string " & objItem.CategoryString)
            objOutput.WriteLine ("ComputerName: " & objItem.ComputerName)
            objOutput.WriteLine ("Logfile: " & objItem.Logfile _
              & " source " & objItem.SourceName)
            objOutput.WriteLine ("EventCode: " & objItem.EventCode)
            objOutput.WriteLine ("EventType: " & objItem.EventType)
            objOutput.WriteLine ("Type: " & objItem.Type)
            objOutput.WriteLine ("User: " & objItem.User)
            objOutput.WriteLine ("Message: " & objItem.Message)
            objOutput.WriteLine
        End If
    End If
  End If
Next
 
 
WScript.Quit

Open in new window

I would post this in the VBS scripting, as well as the MSDOS TAs for a better response since this is now a scripting issue.


I hope this helps !
Avatar of girbot

ASKER

Ok, thanks for pointing me in the right direction and your help previously.