Solved

Logon/ logoff script with auditing purposes

Posted on 2010-11-15
20
1,063 Views
Last Modified: 2012-05-10
Hello,

I made this two scripts for auditing purposes, and a GPO.

1) Audit logon script (auditlogon.cmd):

echo logon %username% %computername% %date% %time% >> \\gbig001\perflogs\auditlogon.log

2) Audit logoff script (auditlogoff.cmd):

echo logoff %username% %computername% %date% %time% >> \\gbig001\perflogs\auditlogon.log

What is being recordedAuditlogon.log:
.......
logoff RLeon GBBCNPC007 12/11/2010 16:10:22,06
logonTecnic GBIG003 12/11/2010 17:39:48,07
etc..

How do i for logging furthermore, the external interface? (called EXTERNAL)??

Thanks in advance
0
Comment
Question by:VMWARE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
  • +3
20 Comments
 
LVL 56

Expert Comment

by:Bill Prew
ID: 34141254
==> How do i for logging furthermore, the external interface? (called EXTERNAL)??

I don't understand the question, can you expand on what you want?

~bp
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 34141267
I am also interested please describe in more detail.
0
 

Author Comment

by:VMWARE
ID: 34141282
Append:

How do i for logging furthermore, NETWORK CARD FOR WHICH, THEY ARE CONNECTING.?


0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 35

Expert Comment

by:Joseph Daly
ID: 34141320
Try adding this into your logon/logoff script.

wmic nic where adaptertype="Ethernet 802.3" get name >> \\gbig001\perflogs\auditlogon.log


If the computer has multiple nics this will list all of them.
0
 

Author Comment

by:VMWARE
ID: 34141568
Hello, xxdcmast:


The output of your command line is this:

Intel(R) PRO/1000 MT Network Connection
Intel(R) PRO/1000 MT Network Connection

But this, does not tell me, interface that users are using ...
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 34142660
it is probably worth seeing a posting of your output from ipconfig to be sure what you want  as i am not sure if you are saying there is a card called EXTERNAL and al.so other cards at the same time for instance.

I am phopne at thee moment but i have a few lines of script here you can grab if you want or will customise once on pc and you have posted ipconfig output:

http://scripts.dragon-it.co.uk

look under batcch and then get ip address.  it assigns into a variable so you can use it on your current echo line.

steve

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34143835

If you want the interface used for the connection you might pull it out of the routing table (see "route print"). Although that won't be particularly easy. The command above won't know which interface it will use (echo occurs before the network connection).

You can, of course, use ipconfig, NetSh or WMI to get the list of interfaces and IP addresses as dragon-it has demonstrated. That would let you pull details of either all interfaces or a pre-defined interface.

Chris
0
 
LVL 14

Expert Comment

by:canali
ID: 34149602
to use wmic and netsh you need administrative privilege... All your users are  amininstrators  ??
With user privilege you can only use ipconfig  ex.: ipconfig /all >> \\gbig001\perflogs\auditlogon.log
Can you give us the output of
ipconfig /all
or
wmic nic where adaptertype="Ethernet 802.3" get caption,name,description

So we understand what is "EXTERNAL"

Bye Gas

0
 

Author Comment

by:VMWARE
ID: 34196036
Hello,

Thinking about what should do the script. How do i for add the IP of user that it is logging on?

Thanks
0
 
LVL 56

Accepted Solution

by:
Bill Prew earned 100 total points
ID: 34196088
A common approach to getting the current IP in a BAT file is:

for /f "tokens=2* delims=:" %%A in ('ipconfig ^| find "IP Address"') do set ip=%%A
set ip=%ip: =%

Open in new window

~bp
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 400 total points
ID: 34196236
Hence our previous questions asking for an example of the output of ipconfig output from one of the users.  My link given a week ago above effectively give you the same as Bill has suggested above, though it splits it down into the different parts of the IP address to so that you can, for example, tell which part of your network a users is connected to, or whether they are on wireless or wired for example if they are different subnets.  The direct link to that was:   http://scripts.dragon-it.co.uk/links/batch-get-tcpip-subnet

Anyway using you have the network, ip or whatever you can just add it to your audit lines, e.g. using Bill's code:

for /f "tokens=2* delims=:" %%A in ('ipconfig ^| find "IP Address"') do set ip=%%A
set ip=%ip: =%

echo logon %username% %computername% %date% %time% %ip% >> \\gbig001\perflogs\auditlogon.log

Personally I'd probably add commas or another delimiter between the user, computer etc. for ease.  You could also change it to create one file per user/computer/date/network etc. by uding those parameters in the filename as long as all computer/usernames are valid filenames, e.g.

echo logon %username%,%computername%,%date%,%time%,%ip% >> \\gbig001\perflogs\users\%username%.txt
echo logon %username%,%computername%,%date%,%time%,%ip% >> \\gbig001\perflogs\Computers\%computername%.txt

etc.

Steve
0
 

Author Comment

by:VMWARE
ID: 34197389
If suppose a user is login in through remote desktop. I need to store the remote ip(I tried with the same script but the local machine ip is coming instead of the remote machines ip). Is it possible to get the remote ip?
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 400 total points
ID: 34197585
You should have a variable "%CLIENTNAME%" which is their client PC name.  If this is from RDP internally to your network and you can PING clientname then you could PING this and read the IP back in a similar way to the ipconfig.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 34197612
As an example though I have just RDP'd into an internet accessible server in my office, the RDP session just sees "JAMIE" as this PC name I am coming from but it could be anywhere and not be able to identify where from.  If it COULD see my address in this case it would see my external address from this site.


So please elaborate what you want to see here and the cirumstances of the RDP login's - i.e. from another site, remote internet address, same site etc. and we might be able to do more.

Steve
0
 
LVL 56

Expert Comment

by:Bill Prew
ID: 34197625
Can't test anything currently, but another command that might give you some info (although maybe not) could be:

netsh interface ip show address

~bp
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 400 total points
ID: 34197749
Haven't tried these yet myself but looks like these would do the trick:

http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm

and there utils pack:

http://www.ctrl-alt-del.com.au/files/CAD_UtilPack.zip

It looks like there util "GETTSCIP" will return the client IP

You can use that with a for command or

GETTSCIP|set /p clientip= would probably do too.

Steve
0
 

Author Comment

by:VMWARE
ID: 34198480
Hello Steve,

This is that i get with GETTSCIP. 192.168.0.98, its my remote private IP.

 capt
How do i  to get the public ip and show it on auditlogon.log.

0
 

Author Comment

by:VMWARE
ID: 34199846
For example, if a solution could integrate something so,

netstat -an | find "3389" |find "ESTA"
  TCP    192.168.50.9:3389      84.75.157.24:1438      ESTABLISHED

it would be perfect...
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 400 total points
ID: 34200767
We could easily read that with a FOR command BUT the problem you have there is if there is more than one RDP session on the box which is quite likely with a true terminal server, or even with a standard admin connections onto a server there could be 2 or 3 with the console - i.e. you won't know which one is which.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 34201742
OK, thanks for the points, I guess you gave up then?  I can't think of a nice way of finding that info. sorry!

Steve
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
A procedure for exporting installed hotfix details of remote computers using powershell
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question