Solved

Monitoring security event logs

Posted on 2013-05-13
2
534 Views
Last Modified: 2013-05-29
I need to be able to monitor the security logs for a bunch of computers in a workgroup. I want to be able to pull all of the successful and failed logons from all of the computers and put them into a nice report.

Does anyone know a cheap program that would be able to do this?
0
Comment
Question by:smartsystemsinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 300 total points
ID: 39164593
Cheap means slightly more "work and ingenity" for integration, maybe (2) is better? else with $$ then see (4)

(1) Very manual and need customisation - use of PsLogList to aaccess all the logon success and failure event-log information from the command line. Include all the relevant eventid using the PsLoglist such as "psloglist \\DC1 -s -i <eventid> security". Use and Customise "findfailedlogon.cmd" that find each DC that this script specifies, parses the output of the Psloglist command against that server and combines it into one output file in CSV format - associate with Excel. Probably with csv can find any reporting tool to generate "nice" report...
@ http://windowsitpro.com/systems-management/gather-failed-logon-attempts

(2) free reporting/collection but need effort and "many" reading to setup (worth it as it expand to other coverage in future)-  Using the Windows Security Operations Center Splunk application that uses Windows Event Log logs (mainly Security logs) to display everything. Process include to collect the Windows event logs on a Universal Forwarder installed on a Windows host, then use WMI to collect the eventlogs of all other Windows systems in the domain (local workgroup).

@ http://splunk-base.splunk.com/apps/24435/windows-security-operations-center
Steps involved and doc to check
@ http://docs.splunk.com/Documentation/WindowsApp/latest/User/AbouttheSplunkAppforWindows
@ http://docs.splunk.com/Documentation/WindowsApp/5.0/User/HowtodeploytheSplunkAppforWindows

Getting the releveant ID
 @ http://www.ultimatewindowssecurity.com/securitylog/quickref/default.aspx

Some $$ involved

(3) NetWrix Logon Reporter - too bad the freeware removed the reporting aspects, maybe tried the trial to testdrive what it captured.
@ http://www.netwrix.com/logon_auditing.html

(4) PA Power Admin - Check out the list of logon success and failure eventid (1st link) that can be tracked by creating a Event Log monitor. The monitor (2nd link) supports running reports on all of the matching events that have happened. You can filter the reported events on event source, type, date range, etc.
@ http://www.poweradmin.com/help/SM_5_0/howto_audit_logins.aspx
@ http://www.poweradmin.com/help/SM_5_0/Monitor_Event_Log.aspx
0
 

Author Closing Comment

by:smartsystemsinc
ID: 39204987
Wow, thanks for your reply. I have found other options, but I will definitely look into these.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question