Getting log on statistics from Windows 10 stand alone computers

I am trying to track logons to a bank of standalone computers.  I have enabled the security setting to record both successful and unsuccessful logons.  I have created a filter to be able to easily track them.

There are 6 computers involved.  They are running Windows 10 Pro and have Symantec SBE cloud antivirus.  All 6 seem to record the logons.  At first two would record up to 15 or so, and then the numbers would reduce.  Now two more are doing that.

I do not see anything in the logs that would explain this behavior.  The purpose of tracking the logons is for statistics.  Each computer has about 2500 users attached, but not all have logged on.

Have i missed something, or is there a setting that says the same user won't be counted more than once?  The setting is a library and each user name and password are their library card number.
WilfAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Please detail what information you are after.

using local group security policy, user configuration, .. you can configure login/logout script (batch)
the issue you may be encountering deals with stations whose session was resumed versus started anew.

you can write to a file, or you can write to a database.

much depends on what you are after to take the steps to implement it.

look at samba +AD DC
Limit the sysems have to be pro versions.....
1
WilfAuthor Commented:
We are trying to keep track of the users of computers in the public access area in the library.  In order to do this, the plan was to enable successful and failed logons in audit.  This would then show up in events.
Created a special filter to track the events.

As you can see in the pdf file, the numbers are dropping on some computers.  A computer where only an administrator logs on has records back to June 29, 2018.


Computers where users log on seem to reset the count at random times.


Any thoghts
Computer-Log-In-attempts.pdf
results-in-management.JPG
audit-account-logon-events.JPG
0
arnoldCommented:
I think I understand what you are after, a more accurate way is to force logoff accounts after idle time.
There are many ids the get recorded 538,528.

there are several audit login/logout events.
You might be looking at the wrong ones
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
you are saying these are standalone systems.

how big is your security log.

`i would recommend a different implementation. to be more accurate and useful.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

WilfAuthor Commented:
Since these are stand alone computers, I have chosen "audit logon events.  when looking at a filtered security log only displaying event ID 4624 and 4634, I get four entries for the same time stamp in the 4634 ID and many more in the 4624.  

I believe I only need Logon type 2 to track the users that used the local keyboard to log on with, or log out.

Is there a way to also filter by logon type?

Would this eliminate the various internal operations that show up in 4624?
0
arnoldCommented:
you have to use a sript such as a powershell, vscript to go through each event after you filter out the event id of interest to you to then ....

Why not do a proactive record and use login/logout script to handle the event.
.

Test on a system if you login, the screen saver kicks in and then you login, does your count now show two, that could possibly explain the counts you had before versus now.
0
WilfAuthor Commented:
Could you expand on the login /logout script and how it would show a record
0
arnoldCommented:
a login script runs as the user that is accessing the system.

The following in a loin script
echo "Login " %logonserver% %USERNAME% %COMPUTERname% %DATE% %TIME%

the following  in a logout
echo "LOGOUT " %username% %COMPUTERNAME% %DATE% %TIME%

You can have the data added to  file on a share where everyone has write rights

another option is to use a powershell, vbscript that add these records into a database.

standalone systems is what seems strange when you have a large number of users per system.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WilfAuthor Commented:
The reason for trying to track users is for statistics in the local library for their public access computers.  a server would be nice, but they moved away from having a server several years ago, and have not had a budget for one.
computer users must have a library card, and then use it as the username and password to logon.  While there are 2500 or so users, there are only maybe 100 or so that actively use the computers.

Once I get the logon scripts set up, how do they relate back to the tracking?  will they have a single event in the security area?

Do I enable the scripts in group policy on each computer?
0
arnoldCommented:
The logon scripts will actully hae info in the file into which you will write
you can arrange the formatting
date time login/logout username

then you will also have information on duration.

A shutdownstartup script in the ....

Look at using an older workstation with Linux/ubuntu configured as samba-DC

This could centralize the library cards/access....
0
masnrockCommented:
It sounds like you've set up all 2500+ users on each machine. By far the easiest thing to do would be to centralize authentication and enable proper logging. As far as centralizing authentication on a small budget, please see the recurring theme of arnold's comments. If you need to store logs for a window of time, then you should also look to get a SIEM. That would also allow you to look at far more than simply logins. AlienVault is one solution you could look at. Rapid7's had a lot of potential, but I will say that their team that helps with implementations leaves a lot to be desired on the engineering side of things.
0
WilfAuthor Commented:
Thanks
The logon script is working fine.  I will investigate whether there is a SIEM that would do well in the standalone environment.
0
arnoldCommented:
installing SNMP (dism /online /enable-feature:SNMP)
one each workstation and configuring the SNMP/SNMPTRAP service
using evntwin here you can configure the security events to be trapped to the SNMPTRAP server
all you would need is an SNMPTRAP receiver that will receive the traps, push them to syslog/rsyslog where it can do some processing if needed.

You could also use snmptrap.exe from the link and your login script instead of echoing or in addition to run the command and send the information in a trap.

https://www.experts-exchange.com/questions/23041373/Send-SNMP-Traps-from-a-script-command-line.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.