RRAS logs - server 2012

Hi Guys,
i have been running Microsoft RRAS for our VPN solution - SERVER 2012
Now I'd like to be able to run some analysis on the log files for RRAS.
I'd like to get some basic details, such as who logged on when and for how long for a given time period - if authentication failed...
i can see this in event viewer - is there anywhere else i can see this or software available ?
jag bAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
You can enable detailed auditing and within the configuration you can configure the systems and successful and/or failed events you wish to audit. Following articles outline how to enable and analyze the results:
http://support.microsoft.com/kb/814595/
http://www.windowsecurity.com/articles/Understanding_Windows_Logging.html
http://207.46.19.60/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx

However using auditing can be VERY time consuming to filter and extract.

Another option is to add the lines below to each users logon and log off script to create a log file. It would give you UserName, ComputerName, date and time, in a simple single line, followed by the IP from which they connected, if needed. If you wish to know logoff times as well, you can add the same lines to a log off script in group policy (if you don't already have one: User Configuration | Windows settings | Scripts | Logoff). You likely won’t need the last line (IP address) in the log off script.

Note: as written below it is filtering for PPTP logins on port 1723.  Should you use a different protocol, just change the primary port number.  I have not used this but have often done so for RDP connections using 3389

Note: the users will need to have read/write and execute permissions for the \\Server\Logs\LogOns.Log  file

As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
Log File

Log On:  jdoe SERVER1  Tue 1/1/2007   9:01
  TCP    10.0.1.100:1723        66.66.123.123:1234        ESTABLISHED

Log Off: jdoe SERVER1  Tue 1/1/2007   9:31

Log On:  jsmith SERVER2  Tue 1/1/2007   11:00
  TCP    10.0.1.200:1723        66.66.123.124:1234        ESTABLISHED

Log Off: jsmith SERVER1  Tue 1/1/2007   11:30
---------------------------------------------------------------------------
Script:

:Logging
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo. >> "\\Server\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,16%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
netstat  -an  |find  "1723"  |find  /I  "established"  >> "\\Server\Logs\LogOns.Log"
0
jag bAuthor Commented:
Rob - I don't have log on scripts in my environment... the main logs in event viewer are "Remote Access" just thought there might be something out there to give more information on a PPTP connection on windows server 2012 - if not I just have to filter them ?
0
Rob WilliamsCommented:
There are no better built-in logs I am aware of.  It is a common complaint. Many third party VPNs do provide detailed logging and customized reports.

It is pretty straight forward to apply the script as a logon script through group policy.  Perhaps just to an OU containing VPN users.  It makes a nice simple log.  I have had numerous EE members report it works well with RDP.
However, I appreciate if you don't want to add scripts.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jag bAuthor Commented:
Thanks for your input Rob - I think its much easier then just going into event viewer and filtering the logs for remote access rather than messing around too much
0
Rob WilliamsCommented:
I can appreciate that.  Best of luck.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.