?
Solved

How to evaluate Security Event Logs.

Posted on 2009-04-09
14
Medium Priority
?
403 Views
Last Modified: 2012-05-06
I have a request from our boss to provide the times a few users have logged on and off of their computers.  The problem is I'm having a real tough time looking through the events and being able to tell what's an actual logon/logoff or just accessing a network share.  I've tried Microsoft's Event Comb, but I'm still not sure what to look for.  Can anyone provide any insight on the best way to do this?  I do know there are 3rd party utilities, but at the current time those aren't really an option.
0
Comment
Question by:Go-GBS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
14 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 1500 total points
ID: 24107368

The event logs won't answer everything you want. While auditing can be used such that logon events are audited, workstation logoffs will never be audited.

If cases where logon/logoff events from workstations need to be logged, I simply use two simple VBS scripts as Logon / Logoff scripts. These log to a text file location on a network share with the PC name and username, and the date/time of the Logon/Logoff. Simple, but effective.

-Matt
0
 

Author Comment

by:Go-GBS
ID: 24107388
Interesting idea with the scripts, but as for my current issue, am I basically out of luck?
0
 
LVL 11

Expert Comment

by:Abhay Pujari
ID: 24107424
Try enable auditing. If you enable auditing through group policy, then I think your problem will get resolve.
0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 
LVL 58

Expert Comment

by:tigermatt
ID: 24107472

You are pretty much out of luck - auditing won't log logoff events, so you won't be able to retrieve that information from the logs. This is why the script-approach is handy... but of course, that won't help you go back on this retrospectively.

-Matt
0
 

Author Comment

by:Go-GBS
ID: 24107500
We do have Audit Logon Events enabled for Success and Failure.  Would any of the other audit policies be what I need?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24107537

Auditing is only going to log Log On events - when the user authenticates to a DC. It will never log Log Off events - it's simply the nature of auditing. Based on your current settings, you may be able to extract the logon events, but no logoff events will have been audited, so that is a no go.

If you have multiple DCs, this will also cause further headache, since logon events will be spread across them all, depending on which DC the user used to authenticate at login.

-Matt
0
 
LVL 11

Expert Comment

by:Abhay Pujari
ID: 24107595
True, auditing will never log Log off events. But the question says he wants a log of Accessing shared folder. And it can be possible through auditing.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24107628

abhvp,

From the way I read it, the original question was "I have a request from our boss to provide the times a few users have logged on and off of their computers". The user simply stated that they couldn't differentiate between access to a share and user logon events, not that they wanted to log access to shares specifically.

-Matt
0
 
LVL 11

Expert Comment

by:Abhay Pujari
ID: 24107646
Ok. I took it in a wrong way.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24107666
Here you got the logon event ID you can put in a filter in Event Comb: http://www.windowsecurity.com/articles/Logon-Types.html

But like said above it will not tell you much. A log on/off script like Matt suggested is a easy way to audit log on/off.

Just remember if a user just locks his computer and unlock it the next day, nothing is logged.


SG

0
 
LVL 11

Expert Comment

by:Abhay Pujari
ID: 24107706
right. Follow Matt's advice.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24107712
Forgot to mention, you can also put a script that will send you an e-mail with username and time they logged on/off. Then you don't need a share the spesific users need write access to.


SG
0
 

Author Comment

by:Go-GBS
ID: 24107806
I guess my biggest dilemma is that they all show as Logon Type 3, so I have no real way of distinguishing between them.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24107924
The event log is not a good log to get the info your after :)
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question