Solved

How to evaluate Security Event Logs.

Posted on 2009-04-09
14
396 Views
Last Modified: 2012-05-06
I have a request from our boss to provide the times a few users have logged on and off of their computers.  The problem is I'm having a real tough time looking through the events and being able to tell what's an actual logon/logoff or just accessing a network share.  I've tried Microsoft's Event Comb, but I'm still not sure what to look for.  Can anyone provide any insight on the best way to do this?  I do know there are 3rd party utilities, but at the current time those aren't really an option.
0
Comment
Question by:Go-GBS
  • 4
  • 4
  • 3
  • +1
14 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
Comment Utility

The event logs won't answer everything you want. While auditing can be used such that logon events are audited, workstation logoffs will never be audited.

If cases where logon/logoff events from workstations need to be logged, I simply use two simple VBS scripts as Logon / Logoff scripts. These log to a text file location on a network share with the PC name and username, and the date/time of the Logon/Logoff. Simple, but effective.

-Matt
0
 

Author Comment

by:Go-GBS
Comment Utility
Interesting idea with the scripts, but as for my current issue, am I basically out of luck?
0
 
LVL 11

Expert Comment

by:Abhay Pujari
Comment Utility
Try enable auditing. If you enable auditing through group policy, then I think your problem will get resolve.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

You are pretty much out of luck - auditing won't log logoff events, so you won't be able to retrieve that information from the logs. This is why the script-approach is handy... but of course, that won't help you go back on this retrospectively.

-Matt
0
 

Author Comment

by:Go-GBS
Comment Utility
We do have Audit Logon Events enabled for Success and Failure.  Would any of the other audit policies be what I need?
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Auditing is only going to log Log On events - when the user authenticates to a DC. It will never log Log Off events - it's simply the nature of auditing. Based on your current settings, you may be able to extract the logon events, but no logoff events will have been audited, so that is a no go.

If you have multiple DCs, this will also cause further headache, since logon events will be spread across them all, depending on which DC the user used to authenticate at login.

-Matt
0
 
LVL 11

Expert Comment

by:Abhay Pujari
Comment Utility
True, auditing will never log Log off events. But the question says he wants a log of Accessing shared folder. And it can be possible through auditing.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

abhvp,

From the way I read it, the original question was "I have a request from our boss to provide the times a few users have logged on and off of their computers". The user simply stated that they couldn't differentiate between access to a share and user logon events, not that they wanted to log access to shares specifically.

-Matt
0
 
LVL 11

Expert Comment

by:Abhay Pujari
Comment Utility
Ok. I took it in a wrong way.
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Here you got the logon event ID you can put in a filter in Event Comb: http://www.windowsecurity.com/articles/Logon-Types.html

But like said above it will not tell you much. A log on/off script like Matt suggested is a easy way to audit log on/off.

Just remember if a user just locks his computer and unlock it the next day, nothing is logged.


SG

0
 
LVL 11

Expert Comment

by:Abhay Pujari
Comment Utility
right. Follow Matt's advice.
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Forgot to mention, you can also put a script that will send you an e-mail with username and time they logged on/off. Then you don't need a share the spesific users need write access to.


SG
0
 

Author Comment

by:Go-GBS
Comment Utility
I guess my biggest dilemma is that they all show as Logon Type 3, so I have no real way of distinguishing between them.
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
The event log is not a good log to get the info your after :)
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now