Solved

How to evaluate Security Event Logs.

Posted on 2009-04-09
14
400 Views
Last Modified: 2012-05-06
I have a request from our boss to provide the times a few users have logged on and off of their computers.  The problem is I'm having a real tough time looking through the events and being able to tell what's an actual logon/logoff or just accessing a network share.  I've tried Microsoft's Event Comb, but I'm still not sure what to look for.  Can anyone provide any insight on the best way to do this?  I do know there are 3rd party utilities, but at the current time those aren't really an option.
0
Comment
Question by:Go-GBS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
14 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24107368

The event logs won't answer everything you want. While auditing can be used such that logon events are audited, workstation logoffs will never be audited.

If cases where logon/logoff events from workstations need to be logged, I simply use two simple VBS scripts as Logon / Logoff scripts. These log to a text file location on a network share with the PC name and username, and the date/time of the Logon/Logoff. Simple, but effective.

-Matt
0
 

Author Comment

by:Go-GBS
ID: 24107388
Interesting idea with the scripts, but as for my current issue, am I basically out of luck?
0
 
LVL 11

Expert Comment

by:Abhay Pujari
ID: 24107424
Try enable auditing. If you enable auditing through group policy, then I think your problem will get resolve.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 58

Expert Comment

by:tigermatt
ID: 24107472

You are pretty much out of luck - auditing won't log logoff events, so you won't be able to retrieve that information from the logs. This is why the script-approach is handy... but of course, that won't help you go back on this retrospectively.

-Matt
0
 

Author Comment

by:Go-GBS
ID: 24107500
We do have Audit Logon Events enabled for Success and Failure.  Would any of the other audit policies be what I need?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24107537

Auditing is only going to log Log On events - when the user authenticates to a DC. It will never log Log Off events - it's simply the nature of auditing. Based on your current settings, you may be able to extract the logon events, but no logoff events will have been audited, so that is a no go.

If you have multiple DCs, this will also cause further headache, since logon events will be spread across them all, depending on which DC the user used to authenticate at login.

-Matt
0
 
LVL 11

Expert Comment

by:Abhay Pujari
ID: 24107595
True, auditing will never log Log off events. But the question says he wants a log of Accessing shared folder. And it can be possible through auditing.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24107628

abhvp,

From the way I read it, the original question was "I have a request from our boss to provide the times a few users have logged on and off of their computers". The user simply stated that they couldn't differentiate between access to a share and user logon events, not that they wanted to log access to shares specifically.

-Matt
0
 
LVL 11

Expert Comment

by:Abhay Pujari
ID: 24107646
Ok. I took it in a wrong way.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24107666
Here you got the logon event ID you can put in a filter in Event Comb: http://www.windowsecurity.com/articles/Logon-Types.html

But like said above it will not tell you much. A log on/off script like Matt suggested is a easy way to audit log on/off.

Just remember if a user just locks his computer and unlock it the next day, nothing is logged.


SG

0
 
LVL 11

Expert Comment

by:Abhay Pujari
ID: 24107706
right. Follow Matt's advice.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24107712
Forgot to mention, you can also put a script that will send you an e-mail with username and time they logged on/off. Then you don't need a share the spesific users need write access to.


SG
0
 

Author Comment

by:Go-GBS
ID: 24107806
I guess my biggest dilemma is that they all show as Logon Type 3, so I have no real way of distinguishing between them.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24107924
The event log is not a good log to get the info your after :)
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question