Getting log on statistics from Windows 10 stand alone computers
I am trying to track logons to a bank of standalone computers. I have enabled the security setting to record both successful and unsuccessful logons. I have created a filter to be able to easily track them.
There are 6 computers involved. They are running Windows 10 Pro and have Symantec SBE cloud antivirus. All 6 seem to record the logons. At first two would record up to 15 or so, and then the numbers would reduce. Now two more are doing that.
I do not see anything in the logs that would explain this behavior. The purpose of tracking the logons is for statistics. Each computer has about 2500 users attached, but not all have logged on.
Have i missed something, or is there a setting that says the same user won't be counted more than once? The setting is a library and each user name and password are their library card number.
There are 6 computers involved. They are running Windows 10 Pro and have Symantec SBE cloud antivirus. All 6 seem to record the logons. At first two would record up to 15 or so, and then the numbers would reduce. Now two more are doing that.
I do not see anything in the logs that would explain this behavior. The purpose of tracking the logons is for statistics. Each computer has about 2500 users attached, but not all have logged on.
Have i missed something, or is there a setting that says the same user won't be counted more than once? The setting is a library and each user name and password are their library card number.
ASKER
We are trying to keep track of the users of computers in the public access area in the library. In order to do this, the plan was to enable successful and failed logons in audit. This would then show up in events.
Created a special filter to track the events.
As you can see in the pdf file, the numbers are dropping on some computers. A computer where only an administrator logs on has records back to June 29, 2018.
Computers where users log on seem to reset the count at random times.
Any thoghts
Computer-Log-In-attempts.pdf
results-in-management.JPG
audit-account-logon-events.JPG
Created a special filter to track the events.
As you can see in the pdf file, the numbers are dropping on some computers. A computer where only an administrator logs on has records back to June 29, 2018.
Computers where users log on seem to reset the count at random times.
Any thoghts
Computer-Log-In-attempts.pdf
results-in-management.JPG
audit-account-logon-events.JPG
I think I understand what you are after, a more accurate way is to force logoff accounts after idle time.
There are many ids the get recorded 538,528.
there are several audit login/logout events.
You might be looking at the wrong ones
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
you are saying these are standalone systems.
how big is your security log.
`i would recommend a different implementation. to be more accurate and useful.
There are many ids the get recorded 538,528.
there are several audit login/logout events.
You might be looking at the wrong ones
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
you are saying these are standalone systems.
how big is your security log.
`i would recommend a different implementation. to be more accurate and useful.
ASKER
Since these are stand alone computers, I have chosen "audit logon events. when looking at a filtered security log only displaying event ID 4624 and 4634, I get four entries for the same time stamp in the 4634 ID and many more in the 4624.
I believe I only need Logon type 2 to track the users that used the local keyboard to log on with, or log out.
Is there a way to also filter by logon type?
Would this eliminate the various internal operations that show up in 4624?
I believe I only need Logon type 2 to track the users that used the local keyboard to log on with, or log out.
Is there a way to also filter by logon type?
Would this eliminate the various internal operations that show up in 4624?
you have to use a sript such as a powershell, vscript to go through each event after you filter out the event id of interest to you to then ....
Why not do a proactive record and use login/logout script to handle the event.
.
Test on a system if you login, the screen saver kicks in and then you login, does your count now show two, that could possibly explain the counts you had before versus now.
Why not do a proactive record and use login/logout script to handle the event.
.
Test on a system if you login, the screen saver kicks in and then you login, does your count now show two, that could possibly explain the counts you had before versus now.
ASKER
Could you expand on the login /logout script and how it would show a record
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The reason for trying to track users is for statistics in the local library for their public access computers. a server would be nice, but they moved away from having a server several years ago, and have not had a budget for one.
computer users must have a library card, and then use it as the username and password to logon. While there are 2500 or so users, there are only maybe 100 or so that actively use the computers.
Once I get the logon scripts set up, how do they relate back to the tracking? will they have a single event in the security area?
Do I enable the scripts in group policy on each computer?
computer users must have a library card, and then use it as the username and password to logon. While there are 2500 or so users, there are only maybe 100 or so that actively use the computers.
Once I get the logon scripts set up, how do they relate back to the tracking? will they have a single event in the security area?
Do I enable the scripts in group policy on each computer?
The logon scripts will actully hae info in the file into which you will write
you can arrange the formatting
date time login/logout username
then you will also have information on duration.
A shutdownstartup script in the ....
Look at using an older workstation with Linux/ubuntu configured as samba-DC
This could centralize the library cards/access....
you can arrange the formatting
date time login/logout username
then you will also have information on duration.
A shutdownstartup script in the ....
Look at using an older workstation with Linux/ubuntu configured as samba-DC
This could centralize the library cards/access....
It sounds like you've set up all 2500+ users on each machine. By far the easiest thing to do would be to centralize authentication and enable proper logging. As far as centralizing authentication on a small budget, please see the recurring theme of arnold's comments. If you need to store logs for a window of time, then you should also look to get a SIEM. That would also allow you to look at far more than simply logins. AlienVault is one solution you could look at. Rapid7's had a lot of potential, but I will say that their team that helps with implementations leaves a lot to be desired on the engineering side of things.
ASKER
Thanks
The logon script is working fine. I will investigate whether there is a SIEM that would do well in the standalone environment.
The logon script is working fine. I will investigate whether there is a SIEM that would do well in the standalone environment.
installing SNMP (dism /online /enable-feature:SNMP)
one each workstation and configuring the SNMP/SNMPTRAP service
using evntwin here you can configure the security events to be trapped to the SNMPTRAP server
all you would need is an SNMPTRAP receiver that will receive the traps, push them to syslog/rsyslog where it can do some processing if needed.
You could also use snmptrap.exe from the link and your login script instead of echoing or in addition to run the command and send the information in a trap.
https://www.experts-exchange.com/questions/23041373/Send-SNMP-Traps-from-a-script-command-line.html
one each workstation and configuring the SNMP/SNMPTRAP service
using evntwin here you can configure the security events to be trapped to the SNMPTRAP server
all you would need is an SNMPTRAP receiver that will receive the traps, push them to syslog/rsyslog where it can do some processing if needed.
You could also use snmptrap.exe from the link and your login script instead of echoing or in addition to run the command and send the information in a trap.
https://www.experts-exchange.com/questions/23041373/Send-SNMP-Traps-from-a-script-command-line.html
using local group security policy, user configuration, .. you can configure login/logout script (batch)
the issue you may be encountering deals with stations whose session was resumed versus started anew.
you can write to a file, or you can write to a database.
much depends on what you are after to take the steps to implement it.
look at samba +AD DC
Limit the sysems have to be pro versions.....