?
Solved

LogParser - Audit User Logons

Posted on 2009-04-24
6
Medium Priority
?
1,681 Views
Last Modified: 2013-12-04
Hello...

I would like to  parse the security logs of our domain controllers {2003} and generate daily reports about success / failed login attempts.   Gathering the needed log entries seems pretty strait forward...   What I could use some help on is some of the other queries.   To be more specific...
I would like to ...

- Parse a few domain controllers remotely from a central box and return logon events {success/failed} into a csv file at this point.
- Run a query to return Failed logins for the last 24 hours.
   - Count the number of times per user
   - Count the number of times per requesting location {ie user's machine}
- Run a query to return Successful logins for the last 24 hours.
   - Count the number of times per user
   - Count the number of times per requesting location {ie user's machine}
- Generate an html report with results of prior queries.   I would really be looking for the top 10/25 results for success and failed at this point.

In the end I would like to build an automatic process that does this on a daily basis and then presents the pages to IIS for other folks to look at as needed.   I don't need a fully built process on this {although I wouldn't complain :) }  just some examples to get me started.    My experience with logparser is a bit thin but it looks very promising for what I need...
0
Comment
Question by:fertigj
  • 3
  • 2
5 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24232427

 This may be of use to you


Log Parser Lizard GUI (free edition)

 
http://www.lizardl.com/PageHtml.aspx?lng=2&PageId=18&PageListItemId=17 
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24232433
Also did you bail on your other question ID:24347575 ?
0
 
LVL 1

Author Comment

by:fertigj
ID: 24234316
Nope...  didn't bail on this question  :) .   I just thought it would be prudent to ask this as a different question.   While looking at logparser I found that I can directly query Event logs.    I looked at logparser quite a while back {2.0} and it was not able to do query event logs{at least to my knowledge}.   This is why I started with the idea to pull everything with EventCombMT and then parse.    Short version is...I think I should be able to do everything I need with Logparser alone...but I am still looking for some examples to get this started.    Once I figure out what I need I will make a note on the other question referring to this question.  Hopefully it will help someone else :)    

That said ...I did  install Log Parser Lizard and it was a good start for Logparser but I still am working/looking for the appropriate queries.    I think I am going to pick up "Microsoft Log Parser Toolkit" this week....  from there we will see.
0
 
LVL 1

Author Comment

by:fertigj
ID: 24234335
Along these lines...but something dealing with security events/logs/etc

Credit to SimonL-UK:
http://aspalliance.com/articleViewer.aspx?aId=1714&pId=-1

0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 2000 total points
ID: 24234548
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question