Solved

Monitoring security event logs

Posted on 2013-05-13
2
514 Views
Last Modified: 2013-05-29
I need to be able to monitor the security logs for a bunch of computers in a workgroup. I want to be able to pull all of the successful and failed logons from all of the computers and put them into a nice report.

Does anyone know a cheap program that would be able to do this?
0
Comment
Question by:smartsystemsinc
2 Comments
 
LVL 61

Accepted Solution

by:
btan earned 300 total points
ID: 39164593
Cheap means slightly more "work and ingenity" for integration, maybe (2) is better? else with $$ then see (4)

(1) Very manual and need customisation - use of PsLogList to aaccess all the logon success and failure event-log information from the command line. Include all the relevant eventid using the PsLoglist such as "psloglist \\DC1 -s -i <eventid> security". Use and Customise "findfailedlogon.cmd" that find each DC that this script specifies, parses the output of the Psloglist command against that server and combines it into one output file in CSV format - associate with Excel. Probably with csv can find any reporting tool to generate "nice" report...
@ http://windowsitpro.com/systems-management/gather-failed-logon-attempts

(2) free reporting/collection but need effort and "many" reading to setup (worth it as it expand to other coverage in future)-  Using the Windows Security Operations Center Splunk application that uses Windows Event Log logs (mainly Security logs) to display everything. Process include to collect the Windows event logs on a Universal Forwarder installed on a Windows host, then use WMI to collect the eventlogs of all other Windows systems in the domain (local workgroup).

@ http://splunk-base.splunk.com/apps/24435/windows-security-operations-center
Steps involved and doc to check
@ http://docs.splunk.com/Documentation/WindowsApp/latest/User/AbouttheSplunkAppforWindows
@ http://docs.splunk.com/Documentation/WindowsApp/5.0/User/HowtodeploytheSplunkAppforWindows

Getting the releveant ID
 @ http://www.ultimatewindowssecurity.com/securitylog/quickref/default.aspx

Some $$ involved

(3) NetWrix Logon Reporter - too bad the freeware removed the reporting aspects, maybe tried the trial to testdrive what it captured.
@ http://www.netwrix.com/logon_auditing.html

(4) PA Power Admin - Check out the list of logon success and failure eventid (1st link) that can be tracked by creating a Event Log monitor. The monitor (2nd link) supports running reports on all of the matching events that have happened. You can filter the reported events on event source, type, date range, etc.
@ http://www.poweradmin.com/help/SM_5_0/howto_audit_logins.aspx
@ http://www.poweradmin.com/help/SM_5_0/Monitor_Event_Log.aspx
0
 

Author Closing Comment

by:smartsystemsinc
ID: 39204987
Wow, thanks for your reply. I have found other options, but I will definitely look into these.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now