• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 409
  • Last Modified:

How to evaluate Security Event Logs.

I have a request from our boss to provide the times a few users have logged on and off of their computers.  The problem is I'm having a real tough time looking through the events and being able to tell what's an actual logon/logoff or just accessing a network share.  I've tried Microsoft's Event Comb, but I'm still not sure what to look for.  Can anyone provide any insight on the best way to do this?  I do know there are 3rd party utilities, but at the current time those aren't really an option.
0
Go-GBS
Asked:
Go-GBS
  • 4
  • 4
  • 3
  • +1
1 Solution
 
tigermattCommented:

The event logs won't answer everything you want. While auditing can be used such that logon events are audited, workstation logoffs will never be audited.

If cases where logon/logoff events from workstations need to be logged, I simply use two simple VBS scripts as Logon / Logoff scripts. These log to a text file location on a network share with the PC name and username, and the date/time of the Logon/Logoff. Simple, but effective.

-Matt
0
 
Go-GBSAuthor Commented:
Interesting idea with the scripts, but as for my current issue, am I basically out of luck?
0
 
Abhay PujariCommented:
Try enable auditing. If you enable auditing through group policy, then I think your problem will get resolve.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
tigermattCommented:

You are pretty much out of luck - auditing won't log logoff events, so you won't be able to retrieve that information from the logs. This is why the script-approach is handy... but of course, that won't help you go back on this retrospectively.

-Matt
0
 
Go-GBSAuthor Commented:
We do have Audit Logon Events enabled for Success and Failure.  Would any of the other audit policies be what I need?
0
 
tigermattCommented:

Auditing is only going to log Log On events - when the user authenticates to a DC. It will never log Log Off events - it's simply the nature of auditing. Based on your current settings, you may be able to extract the logon events, but no logoff events will have been audited, so that is a no go.

If you have multiple DCs, this will also cause further headache, since logon events will be spread across them all, depending on which DC the user used to authenticate at login.

-Matt
0
 
Abhay PujariCommented:
True, auditing will never log Log off events. But the question says he wants a log of Accessing shared folder. And it can be possible through auditing.
0
 
tigermattCommented:

abhvp,

From the way I read it, the original question was "I have a request from our boss to provide the times a few users have logged on and off of their computers". The user simply stated that they couldn't differentiate between access to a share and user logon events, not that they wanted to log access to shares specifically.

-Matt
0
 
Abhay PujariCommented:
Ok. I took it in a wrong way.
0
 
snusgubbenCommented:
Here you got the logon event ID you can put in a filter in Event Comb: http://www.windowsecurity.com/articles/Logon-Types.html

But like said above it will not tell you much. A log on/off script like Matt suggested is a easy way to audit log on/off.

Just remember if a user just locks his computer and unlock it the next day, nothing is logged.


SG

0
 
Abhay PujariCommented:
right. Follow Matt's advice.
0
 
snusgubbenCommented:
Forgot to mention, you can also put a script that will send you an e-mail with username and time they logged on/off. Then you don't need a share the spesific users need write access to.


SG
0
 
Go-GBSAuthor Commented:
I guess my biggest dilemma is that they all show as Logon Type 3, so I have no real way of distinguishing between them.
0
 
snusgubbenCommented:
The event log is not a good log to get the info your after :)
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 4
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now