?
Solved

Monitoring security event logs

Posted on 2013-05-13
2
Medium Priority
?
568 Views
Last Modified: 2013-05-29
I need to be able to monitor the security logs for a bunch of computers in a workgroup. I want to be able to pull all of the successful and failed logons from all of the computers and put them into a nice report.

Does anyone know a cheap program that would be able to do this?
0
Comment
Question by:smartsystemsinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 65

Accepted Solution

by:
btan earned 1200 total points
ID: 39164593
Cheap means slightly more "work and ingenity" for integration, maybe (2) is better? else with $$ then see (4)

(1) Very manual and need customisation - use of PsLogList to aaccess all the logon success and failure event-log information from the command line. Include all the relevant eventid using the PsLoglist such as "psloglist \\DC1 -s -i <eventid> security". Use and Customise "findfailedlogon.cmd" that find each DC that this script specifies, parses the output of the Psloglist command against that server and combines it into one output file in CSV format - associate with Excel. Probably with csv can find any reporting tool to generate "nice" report...
@ http://windowsitpro.com/systems-management/gather-failed-logon-attempts

(2) free reporting/collection but need effort and "many" reading to setup (worth it as it expand to other coverage in future)-  Using the Windows Security Operations Center Splunk application that uses Windows Event Log logs (mainly Security logs) to display everything. Process include to collect the Windows event logs on a Universal Forwarder installed on a Windows host, then use WMI to collect the eventlogs of all other Windows systems in the domain (local workgroup).

@ http://splunk-base.splunk.com/apps/24435/windows-security-operations-center
Steps involved and doc to check
@ http://docs.splunk.com/Documentation/WindowsApp/latest/User/AbouttheSplunkAppforWindows
@ http://docs.splunk.com/Documentation/WindowsApp/5.0/User/HowtodeploytheSplunkAppforWindows

Getting the releveant ID
 @ http://www.ultimatewindowssecurity.com/securitylog/quickref/default.aspx

Some $$ involved

(3) NetWrix Logon Reporter - too bad the freeware removed the reporting aspects, maybe tried the trial to testdrive what it captured.
@ http://www.netwrix.com/logon_auditing.html

(4) PA Power Admin - Check out the list of logon success and failure eventid (1st link) that can be tracked by creating a Event Log monitor. The monitor (2nd link) supports running reports on all of the matching events that have happened. You can filter the reported events on event source, type, date range, etc.
@ http://www.poweradmin.com/help/SM_5_0/howto_audit_logins.aspx
@ http://www.poweradmin.com/help/SM_5_0/Monitor_Event_Log.aspx
0
 

Author Closing Comment

by:smartsystemsinc
ID: 39204987
Wow, thanks for your reply. I have found other options, but I will definitely look into these.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question