Solved

Logon/ logoff script with auditing purposes

Posted on 2010-11-15
20
1,055 Views
Last Modified: 2012-05-10
Hello,

I made this two scripts for auditing purposes, and a GPO.

1) Audit logon script (auditlogon.cmd):

echo logon %username% %computername% %date% %time% >> \\gbig001\perflogs\auditlogon.log

2) Audit logoff script (auditlogoff.cmd):

echo logoff %username% %computername% %date% %time% >> \\gbig001\perflogs\auditlogon.log

What is being recordedAuditlogon.log:
.......
logoff RLeon GBBCNPC007 12/11/2010 16:10:22,06
logonTecnic GBIG003 12/11/2010 17:39:48,07
etc..

How do i for logging furthermore, the external interface? (called EXTERNAL)??

Thanks in advance
0
Comment
Question by:VMWARE
  • 7
  • 6
  • 3
  • +3
20 Comments
 
LVL 51

Expert Comment

by:Bill Prew
Comment Utility
==> How do i for logging furthermore, the external interface? (called EXTERNAL)??

I don't understand the question, can you expand on what you want?

~bp
0
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
I am also interested please describe in more detail.
0
 

Author Comment

by:VMWARE
Comment Utility
Append:

How do i for logging furthermore, NETWORK CARD FOR WHICH, THEY ARE CONNECTING.?


0
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
Try adding this into your logon/logoff script.

wmic nic where adaptertype="Ethernet 802.3" get name >> \\gbig001\perflogs\auditlogon.log


If the computer has multiple nics this will list all of them.
0
 

Author Comment

by:VMWARE
Comment Utility
Hello, xxdcmast:


The output of your command line is this:

Intel(R) PRO/1000 MT Network Connection
Intel(R) PRO/1000 MT Network Connection

But this, does not tell me, interface that users are using ...
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
it is probably worth seeing a posting of your output from ipconfig to be sure what you want  as i am not sure if you are saying there is a card called EXTERNAL and al.so other cards at the same time for instance.

I am phopne at thee moment but i have a few lines of script here you can grab if you want or will customise once on pc and you have posted ipconfig output:

http://scripts.dragon-it.co.uk

look under batcch and then get ip address.  it assigns into a variable so you can use it on your current echo line.

steve

0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

If you want the interface used for the connection you might pull it out of the routing table (see "route print"). Although that won't be particularly easy. The command above won't know which interface it will use (echo occurs before the network connection).

You can, of course, use ipconfig, NetSh or WMI to get the list of interfaces and IP addresses as dragon-it has demonstrated. That would let you pull details of either all interfaces or a pre-defined interface.

Chris
0
 
LVL 14

Expert Comment

by:canali
Comment Utility
to use wmic and netsh you need administrative privilege... All your users are  amininstrators  ??
With user privilege you can only use ipconfig  ex.: ipconfig /all >> \\gbig001\perflogs\auditlogon.log
Can you give us the output of
ipconfig /all
or
wmic nic where adaptertype="Ethernet 802.3" get caption,name,description

So we understand what is "EXTERNAL"

Bye Gas

0
 

Author Comment

by:VMWARE
Comment Utility
Hello,

Thinking about what should do the script. How do i for add the IP of user that it is logging on?

Thanks
0
 
LVL 51

Accepted Solution

by:
Bill Prew earned 100 total points
Comment Utility
A common approach to getting the current IP in a BAT file is:

for /f "tokens=2* delims=:" %%A in ('ipconfig ^| find "IP Address"') do set ip=%%A
set ip=%ip: =%

Open in new window

~bp
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 400 total points
Comment Utility
Hence our previous questions asking for an example of the output of ipconfig output from one of the users.  My link given a week ago above effectively give you the same as Bill has suggested above, though it splits it down into the different parts of the IP address to so that you can, for example, tell which part of your network a users is connected to, or whether they are on wireless or wired for example if they are different subnets.  The direct link to that was:   http://scripts.dragon-it.co.uk/links/batch-get-tcpip-subnet

Anyway using you have the network, ip or whatever you can just add it to your audit lines, e.g. using Bill's code:

for /f "tokens=2* delims=:" %%A in ('ipconfig ^| find "IP Address"') do set ip=%%A
set ip=%ip: =%

echo logon %username% %computername% %date% %time% %ip% >> \\gbig001\perflogs\auditlogon.log

Personally I'd probably add commas or another delimiter between the user, computer etc. for ease.  You could also change it to create one file per user/computer/date/network etc. by uding those parameters in the filename as long as all computer/usernames are valid filenames, e.g.

echo logon %username%,%computername%,%date%,%time%,%ip% >> \\gbig001\perflogs\users\%username%.txt
echo logon %username%,%computername%,%date%,%time%,%ip% >> \\gbig001\perflogs\Computers\%computername%.txt

etc.

Steve
0
 

Author Comment

by:VMWARE
Comment Utility
If suppose a user is login in through remote desktop. I need to store the remote ip(I tried with the same script but the local machine ip is coming instead of the remote machines ip). Is it possible to get the remote ip?
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 400 total points
Comment Utility
You should have a variable "%CLIENTNAME%" which is their client PC name.  If this is from RDP internally to your network and you can PING clientname then you could PING this and read the IP back in a similar way to the ipconfig.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
As an example though I have just RDP'd into an internet accessible server in my office, the RDP session just sees "JAMIE" as this PC name I am coming from but it could be anywhere and not be able to identify where from.  If it COULD see my address in this case it would see my external address from this site.


So please elaborate what you want to see here and the cirumstances of the RDP login's - i.e. from another site, remote internet address, same site etc. and we might be able to do more.

Steve
0
 
LVL 51

Expert Comment

by:Bill Prew
Comment Utility
Can't test anything currently, but another command that might give you some info (although maybe not) could be:

netsh interface ip show address

~bp
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 400 total points
Comment Utility
Haven't tried these yet myself but looks like these would do the trick:

http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm

and there utils pack:

http://www.ctrl-alt-del.com.au/files/CAD_UtilPack.zip

It looks like there util "GETTSCIP" will return the client IP

You can use that with a for command or

GETTSCIP|set /p clientip= would probably do too.

Steve
0
 

Author Comment

by:VMWARE
Comment Utility
Hello Steve,

This is that i get with GETTSCIP. 192.168.0.98, its my remote private IP.

 capt
How do i  to get the public ip and show it on auditlogon.log.

0
 

Author Comment

by:VMWARE
Comment Utility
For example, if a solution could integrate something so,

netstat -an | find "3389" |find "ESTA"
  TCP    192.168.50.9:3389      84.75.157.24:1438      ESTABLISHED

it would be perfect...
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 400 total points
Comment Utility
We could easily read that with a FOR command BUT the problem you have there is if there is more than one RDP session on the box which is quite likely with a true terminal server, or even with a standard admin connections onto a server there could be 2 or 3 with the console - i.e. you won't know which one is which.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
OK, thanks for the points, I guess you gave up then?  I can't think of a nice way of finding that info. sorry!

Steve
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This script checks a path to see if a folder exists. If the folder does exist you will get output "The folder has previously been created. No action taken" If not it will create the folder. Then adds one user modify permission to the folder. It …
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now