Solved

How to evaluate Security Event Logs.

Posted on 2009-04-09
14
401 Views
Last Modified: 2012-05-06
I have a request from our boss to provide the times a few users have logged on and off of their computers.  The problem is I'm having a real tough time looking through the events and being able to tell what's an actual logon/logoff or just accessing a network share.  I've tried Microsoft's Event Comb, but I'm still not sure what to look for.  Can anyone provide any insight on the best way to do this?  I do know there are 3rd party utilities, but at the current time those aren't really an option.
0
Comment
Question by:Go-GBS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
14 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24107368

The event logs won't answer everything you want. While auditing can be used such that logon events are audited, workstation logoffs will never be audited.

If cases where logon/logoff events from workstations need to be logged, I simply use two simple VBS scripts as Logon / Logoff scripts. These log to a text file location on a network share with the PC name and username, and the date/time of the Logon/Logoff. Simple, but effective.

-Matt
0
 

Author Comment

by:Go-GBS
ID: 24107388
Interesting idea with the scripts, but as for my current issue, am I basically out of luck?
0
 
LVL 11

Expert Comment

by:Abhay Pujari
ID: 24107424
Try enable auditing. If you enable auditing through group policy, then I think your problem will get resolve.
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 58

Expert Comment

by:tigermatt
ID: 24107472

You are pretty much out of luck - auditing won't log logoff events, so you won't be able to retrieve that information from the logs. This is why the script-approach is handy... but of course, that won't help you go back on this retrospectively.

-Matt
0
 

Author Comment

by:Go-GBS
ID: 24107500
We do have Audit Logon Events enabled for Success and Failure.  Would any of the other audit policies be what I need?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24107537

Auditing is only going to log Log On events - when the user authenticates to a DC. It will never log Log Off events - it's simply the nature of auditing. Based on your current settings, you may be able to extract the logon events, but no logoff events will have been audited, so that is a no go.

If you have multiple DCs, this will also cause further headache, since logon events will be spread across them all, depending on which DC the user used to authenticate at login.

-Matt
0
 
LVL 11

Expert Comment

by:Abhay Pujari
ID: 24107595
True, auditing will never log Log off events. But the question says he wants a log of Accessing shared folder. And it can be possible through auditing.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24107628

abhvp,

From the way I read it, the original question was "I have a request from our boss to provide the times a few users have logged on and off of their computers". The user simply stated that they couldn't differentiate between access to a share and user logon events, not that they wanted to log access to shares specifically.

-Matt
0
 
LVL 11

Expert Comment

by:Abhay Pujari
ID: 24107646
Ok. I took it in a wrong way.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24107666
Here you got the logon event ID you can put in a filter in Event Comb: http://www.windowsecurity.com/articles/Logon-Types.html

But like said above it will not tell you much. A log on/off script like Matt suggested is a easy way to audit log on/off.

Just remember if a user just locks his computer and unlock it the next day, nothing is logged.


SG

0
 
LVL 11

Expert Comment

by:Abhay Pujari
ID: 24107706
right. Follow Matt's advice.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24107712
Forgot to mention, you can also put a script that will send you an e-mail with username and time they logged on/off. Then you don't need a share the spesific users need write access to.


SG
0
 

Author Comment

by:Go-GBS
ID: 24107806
I guess my biggest dilemma is that they all show as Logon Type 3, so I have no real way of distinguishing between them.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24107924
The event log is not a good log to get the info your after :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question