[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1079
  • Last Modified:

Logon/ logoff script with auditing purposes

Hello,

I made this two scripts for auditing purposes, and a GPO.

1) Audit logon script (auditlogon.cmd):

echo logon %username% %computername% %date% %time% >> \\gbig001\perflogs\auditlogon.log

2) Audit logoff script (auditlogoff.cmd):

echo logoff %username% %computername% %date% %time% >> \\gbig001\perflogs\auditlogon.log

What is being recordedAuditlogon.log:
.......
logoff RLeon GBBCNPC007 12/11/2010 16:10:22,06
logonTecnic GBIG003 12/11/2010 17:39:48,07
etc..

How do i for logging furthermore, the external interface? (called EXTERNAL)??

Thanks in advance
0
VMWARE
Asked:
VMWARE
  • 7
  • 6
  • 3
  • +3
5 Solutions
 
Bill PrewCommented:
==> How do i for logging furthermore, the external interface? (called EXTERNAL)??

I don't understand the question, can you expand on what you want?

~bp
0
 
Joseph DalyCommented:
I am also interested please describe in more detail.
0
 
VMWAREit security administratorAuthor Commented:
Append:

How do i for logging furthermore, NETWORK CARD FOR WHICH, THEY ARE CONNECTING.?


0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Joseph DalyCommented:
Try adding this into your logon/logoff script.

wmic nic where adaptertype="Ethernet 802.3" get name >> \\gbig001\perflogs\auditlogon.log


If the computer has multiple nics this will list all of them.
0
 
VMWAREit security administratorAuthor Commented:
Hello, xxdcmast:


The output of your command line is this:

Intel(R) PRO/1000 MT Network Connection
Intel(R) PRO/1000 MT Network Connection

But this, does not tell me, interface that users are using ...
0
 
Steve KnightIT ConsultancyCommented:
it is probably worth seeing a posting of your output from ipconfig to be sure what you want  as i am not sure if you are saying there is a card called EXTERNAL and al.so other cards at the same time for instance.

I am phopne at thee moment but i have a few lines of script here you can grab if you want or will customise once on pc and you have posted ipconfig output:

http://scripts.dragon-it.co.uk

look under batcch and then get ip address.  it assigns into a variable so you can use it on your current echo line.

steve

0
 
Chris DentPowerShell DeveloperCommented:

If you want the interface used for the connection you might pull it out of the routing table (see "route print"). Although that won't be particularly easy. The command above won't know which interface it will use (echo occurs before the network connection).

You can, of course, use ipconfig, NetSh or WMI to get the list of interfaces and IP addresses as dragon-it has demonstrated. That would let you pull details of either all interfaces or a pre-defined interface.

Chris
0
 
canaliCommented:
to use wmic and netsh you need administrative privilege... All your users are  amininstrators  ??
With user privilege you can only use ipconfig  ex.: ipconfig /all >> \\gbig001\perflogs\auditlogon.log
Can you give us the output of
ipconfig /all
or
wmic nic where adaptertype="Ethernet 802.3" get caption,name,description

So we understand what is "EXTERNAL"

Bye Gas

0
 
VMWAREit security administratorAuthor Commented:
Hello,

Thinking about what should do the script. How do i for add the IP of user that it is logging on?

Thanks
0
 
Bill PrewCommented:
A common approach to getting the current IP in a BAT file is:

for /f "tokens=2* delims=:" %%A in ('ipconfig ^| find "IP Address"') do set ip=%%A
set ip=%ip: =%

Open in new window

~bp
0
 
Steve KnightIT ConsultancyCommented:
Hence our previous questions asking for an example of the output of ipconfig output from one of the users.  My link given a week ago above effectively give you the same as Bill has suggested above, though it splits it down into the different parts of the IP address to so that you can, for example, tell which part of your network a users is connected to, or whether they are on wireless or wired for example if they are different subnets.  The direct link to that was:   http://scripts.dragon-it.co.uk/links/batch-get-tcpip-subnet

Anyway using you have the network, ip or whatever you can just add it to your audit lines, e.g. using Bill's code:

for /f "tokens=2* delims=:" %%A in ('ipconfig ^| find "IP Address"') do set ip=%%A
set ip=%ip: =%

echo logon %username% %computername% %date% %time% %ip% >> \\gbig001\perflogs\auditlogon.log

Personally I'd probably add commas or another delimiter between the user, computer etc. for ease.  You could also change it to create one file per user/computer/date/network etc. by uding those parameters in the filename as long as all computer/usernames are valid filenames, e.g.

echo logon %username%,%computername%,%date%,%time%,%ip% >> \\gbig001\perflogs\users\%username%.txt
echo logon %username%,%computername%,%date%,%time%,%ip% >> \\gbig001\perflogs\Computers\%computername%.txt

etc.

Steve
0
 
VMWAREit security administratorAuthor Commented:
If suppose a user is login in through remote desktop. I need to store the remote ip(I tried with the same script but the local machine ip is coming instead of the remote machines ip). Is it possible to get the remote ip?
0
 
Steve KnightIT ConsultancyCommented:
You should have a variable "%CLIENTNAME%" which is their client PC name.  If this is from RDP internally to your network and you can PING clientname then you could PING this and read the IP back in a similar way to the ipconfig.

Steve
0
 
Steve KnightIT ConsultancyCommented:
As an example though I have just RDP'd into an internet accessible server in my office, the RDP session just sees "JAMIE" as this PC name I am coming from but it could be anywhere and not be able to identify where from.  If it COULD see my address in this case it would see my external address from this site.


So please elaborate what you want to see here and the cirumstances of the RDP login's - i.e. from another site, remote internet address, same site etc. and we might be able to do more.

Steve
0
 
Bill PrewCommented:
Can't test anything currently, but another command that might give you some info (although maybe not) could be:

netsh interface ip show address

~bp
0
 
Steve KnightIT ConsultancyCommented:
Haven't tried these yet myself but looks like these would do the trick:

http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm

and there utils pack:

http://www.ctrl-alt-del.com.au/files/CAD_UtilPack.zip

It looks like there util "GETTSCIP" will return the client IP

You can use that with a for command or

GETTSCIP|set /p clientip= would probably do too.

Steve
0
 
VMWAREit security administratorAuthor Commented:
Hello Steve,

This is that i get with GETTSCIP. 192.168.0.98, its my remote private IP.

 capt
How do i  to get the public ip and show it on auditlogon.log.

0
 
VMWAREit security administratorAuthor Commented:
For example, if a solution could integrate something so,

netstat -an | find "3389" |find "ESTA"
  TCP    192.168.50.9:3389      84.75.157.24:1438      ESTABLISHED

it would be perfect...
0
 
Steve KnightIT ConsultancyCommented:
We could easily read that with a FOR command BUT the problem you have there is if there is more than one RDP session on the box which is quite likely with a true terminal server, or even with a standard admin connections onto a server there could be 2 or 3 with the console - i.e. you won't know which one is which.

Steve
0
 
Steve KnightIT ConsultancyCommented:
OK, thanks for the points, I guess you gave up then?  I can't think of a nice way of finding that info. sorry!

Steve
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 7
  • 6
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now