Link to home
Create AccountLog in
Avatar of VMWARE
VMWARE

asked on

Logon/ logoff script with auditing purposes

Hello,

I made this two scripts for auditing purposes, and a GPO.

1) Audit logon script (auditlogon.cmd):

echo logon %username% %computername% %date% %time% >> \\gbig001\perflogs\auditlogon.log

2) Audit logoff script (auditlogoff.cmd):

echo logoff %username% %computername% %date% %time% >> \\gbig001\perflogs\auditlogon.log

What is being recordedAuditlogon.log:
.......
logoff RLeon GBBCNPC007 12/11/2010 16:10:22,06
logonTecnic GBIG003 12/11/2010 17:39:48,07
etc..

How do i for logging furthermore, the external interface? (called EXTERNAL)??

Thanks in advance
Avatar of Bill Prew
Bill Prew

==> How do i for logging furthermore, the external interface? (called EXTERNAL)??

I don't understand the question, can you expand on what you want?

~bp
I am also interested please describe in more detail.
Avatar of VMWARE

ASKER

Append:

How do i for logging furthermore, NETWORK CARD FOR WHICH, THEY ARE CONNECTING.?


Try adding this into your logon/logoff script.

wmic nic where adaptertype="Ethernet 802.3" get name >> \\gbig001\perflogs\auditlogon.log


If the computer has multiple nics this will list all of them.
Avatar of VMWARE

ASKER

Hello, xxdcmast:


The output of your command line is this:

Intel(R) PRO/1000 MT Network Connection
Intel(R) PRO/1000 MT Network Connection

But this, does not tell me, interface that users are using ...
it is probably worth seeing a posting of your output from ipconfig to be sure what you want  as i am not sure if you are saying there is a card called EXTERNAL and al.so other cards at the same time for instance.

I am phopne at thee moment but i have a few lines of script here you can grab if you want or will customise once on pc and you have posted ipconfig output:

http://scripts.dragon-it.co.uk

look under batcch and then get ip address.  it assigns into a variable so you can use it on your current echo line.

steve


If you want the interface used for the connection you might pull it out of the routing table (see "route print"). Although that won't be particularly easy. The command above won't know which interface it will use (echo occurs before the network connection).

You can, of course, use ipconfig, NetSh or WMI to get the list of interfaces and IP addresses as dragon-it has demonstrated. That would let you pull details of either all interfaces or a pre-defined interface.

Chris
to use wmic and netsh you need administrative privilege... All your users are  amininstrators  ??
With user privilege you can only use ipconfig  ex.: ipconfig /all >> \\gbig001\perflogs\auditlogon.log
Can you give us the output of
ipconfig /all
or
wmic nic where adaptertype="Ethernet 802.3" get caption,name,description

So we understand what is "EXTERNAL"

Bye Gas

Avatar of VMWARE

ASKER

Hello,

Thinking about what should do the script. How do i for add the IP of user that it is logging on?

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Bill Prew
Bill Prew

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of VMWARE

ASKER

If suppose a user is login in through remote desktop. I need to store the remote ip(I tried with the same script but the local machine ip is coming instead of the remote machines ip). Is it possible to get the remote ip?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
As an example though I have just RDP'd into an internet accessible server in my office, the RDP session just sees "JAMIE" as this PC name I am coming from but it could be anywhere and not be able to identify where from.  If it COULD see my address in this case it would see my external address from this site.


So please elaborate what you want to see here and the cirumstances of the RDP login's - i.e. from another site, remote internet address, same site etc. and we might be able to do more.

Steve
Can't test anything currently, but another command that might give you some info (although maybe not) could be:

netsh interface ip show address

~bp
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of VMWARE

ASKER

Hello Steve,

This is that i get with GETTSCIP. 192.168.0.98, its my remote private IP.

 User generated image
How do i  to get the public ip and show it on auditlogon.log.

Avatar of VMWARE

ASKER

For example, if a solution could integrate something so,

netstat -an | find "3389" |find "ESTA"
  TCP    192.168.50.9:3389      84.75.157.24:1438      ESTABLISHED

it would be perfect...
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
OK, thanks for the points, I guess you gave up then?  I can't think of a nice way of finding that info. sorry!

Steve