Monitoring security event logs

I need to be able to monitor the security logs for a bunch of computers in a workgroup. I want to be able to pull all of the successful and failed logons from all of the computers and put them into a nice report.

Does anyone know a cheap program that would be able to do this?
smartsystemsincAsked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
Cheap means slightly more "work and ingenity" for integration, maybe (2) is better? else with $$ then see (4)

(1) Very manual and need customisation - use of PsLogList to aaccess all the logon success and failure event-log information from the command line. Include all the relevant eventid using the PsLoglist such as "psloglist \\DC1 -s -i <eventid> security". Use and Customise "findfailedlogon.cmd" that find each DC that this script specifies, parses the output of the Psloglist command against that server and combines it into one output file in CSV format - associate with Excel. Probably with csv can find any reporting tool to generate "nice" report...
@ http://windowsitpro.com/systems-management/gather-failed-logon-attempts

(2) free reporting/collection but need effort and "many" reading to setup (worth it as it expand to other coverage in future)-  Using the Windows Security Operations Center Splunk application that uses Windows Event Log logs (mainly Security logs) to display everything. Process include to collect the Windows event logs on a Universal Forwarder installed on a Windows host, then use WMI to collect the eventlogs of all other Windows systems in the domain (local workgroup).

@ http://splunk-base.splunk.com/apps/24435/windows-security-operations-center
Steps involved and doc to check
@ http://docs.splunk.com/Documentation/WindowsApp/latest/User/AbouttheSplunkAppforWindows
@ http://docs.splunk.com/Documentation/WindowsApp/5.0/User/HowtodeploytheSplunkAppforWindows

Getting the releveant ID
 @ http://www.ultimatewindowssecurity.com/securitylog/quickref/default.aspx

Some $$ involved

(3) NetWrix Logon Reporter - too bad the freeware removed the reporting aspects, maybe tried the trial to testdrive what it captured.
@ http://www.netwrix.com/logon_auditing.html

(4) PA Power Admin - Check out the list of logon success and failure eventid (1st link) that can be tracked by creating a Event Log monitor. The monitor (2nd link) supports running reports on all of the matching events that have happened. You can filter the reported events on event source, type, date range, etc.
@ http://www.poweradmin.com/help/SM_5_0/howto_audit_logins.aspx
@ http://www.poweradmin.com/help/SM_5_0/Monitor_Event_Log.aspx
0
 
smartsystemsincAuthor Commented:
Wow, thanks for your reply. I have found other options, but I will definitely look into these.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.