Link to home
Start Free TrialLog in
Avatar of Go-GBS
Go-GBSFlag for United States of America

asked on

How to evaluate Security Event Logs.

I have a request from our boss to provide the times a few users have logged on and off of their computers.  The problem is I'm having a real tough time looking through the events and being able to tell what's an actual logon/logoff or just accessing a network share.  I've tried Microsoft's Event Comb, but I'm still not sure what to look for.  Can anyone provide any insight on the best way to do this?  I do know there are 3rd party utilities, but at the current time those aren't really an option.
ASKER CERTIFIED SOLUTION
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Go-GBS

ASKER

Interesting idea with the scripts, but as for my current issue, am I basically out of luck?
Try enable auditing. If you enable auditing through group policy, then I think your problem will get resolve.

You are pretty much out of luck - auditing won't log logoff events, so you won't be able to retrieve that information from the logs. This is why the script-approach is handy... but of course, that won't help you go back on this retrospectively.

-Matt
Avatar of Go-GBS

ASKER

We do have Audit Logon Events enabled for Success and Failure.  Would any of the other audit policies be what I need?

Auditing is only going to log Log On events - when the user authenticates to a DC. It will never log Log Off events - it's simply the nature of auditing. Based on your current settings, you may be able to extract the logon events, but no logoff events will have been audited, so that is a no go.

If you have multiple DCs, this will also cause further headache, since logon events will be spread across them all, depending on which DC the user used to authenticate at login.

-Matt
True, auditing will never log Log off events. But the question says he wants a log of Accessing shared folder. And it can be possible through auditing.

abhvp,

From the way I read it, the original question was "I have a request from our boss to provide the times a few users have logged on and off of their computers". The user simply stated that they couldn't differentiate between access to a share and user logon events, not that they wanted to log access to shares specifically.

-Matt
Ok. I took it in a wrong way.
Here you got the logon event ID you can put in a filter in Event Comb: http://www.windowsecurity.com/articles/Logon-Types.html

But like said above it will not tell you much. A log on/off script like Matt suggested is a easy way to audit log on/off.

Just remember if a user just locks his computer and unlock it the next day, nothing is logged.


SG

right. Follow Matt's advice.
Forgot to mention, you can also put a script that will send you an e-mail with username and time they logged on/off. Then you don't need a share the spesific users need write access to.


SG
Avatar of Go-GBS

ASKER

I guess my biggest dilemma is that they all show as Logon Type 3, so I have no real way of distinguishing between them.
The event log is not a good log to get the info your after :)