SINC_dmack
asked on
How to set up automated report digest emails of AD logons / logoffs from Event Viewer?
We have a police department client that is required to audit for successful and failed logon attempts, and logoffs, on a weekly basis. The auditing must be performed by an employee of the PD, which means that we need to generate Event Viewer reports in a way that can be easily reviewed by a layperson. Ideally a digest would be emailed on a daily basis. We've set up the server to send emails any time there's a failed logon, but emails every time there's a successful logon or logoff would result in an inordinate amount of email traffic.
The server is running Windows Server '08 R2. We're either looking for assistance in setting up digest report emails, or for direction to a piece of software that'll handle it for us.
The server is running Windows Server '08 R2. We're either looking for assistance in setting up digest report emails, or for direction to a piece of software that'll handle it for us.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here are our tech's notes for what he did to achieve the desired results:
--The email alerting script won't meet the compliance requirements
--Instead, built a GPO for the workstations to run two scripts, one on logon and one on logoff
--These scripts write the logon and logoff activity; including time, computername, and username, to a log file on the server
--Built another script with a schedule task to rename the log file every Saturday with the current date and move it to an archive folder for retention and additional review
--Leave to run for a few days to test operation
--After doing some testing from a workstation, it does appear to be some type of permissions or access issue writing to the log file in the netlogon share
--Create a new hidden audit share with permissions for everyone, move the script paths and files
--Tested and verified working on two machines that couldn't write to it before
--Also updated the failed logon script to email <person responsible for monitoring logs> directly
--The email alerting script won't meet the compliance requirements
--Instead, built a GPO for the workstations to run two scripts, one on logon and one on logoff
--These scripts write the logon and logoff activity; including time, computername, and username, to a log file on the server
--Built another script with a schedule task to rename the log file every Saturday with the current date and move it to an archive folder for retention and additional review
--Leave to run for a few days to test operation
--After doing some testing from a workstation, it does appear to be some type of permissions or access issue writing to the log file in the netlogon share
--Create a new hidden audit share with permissions for everyone, move the script paths and files
--Tested and verified working on two machines that couldn't write to it before
--Also updated the failed logon script to email <person responsible for monitoring logs> directly
ASKER
Thanks to the contributors to this thread. Apologies for not following up sooner.
do your workstation have auditing enabled for logon/logoff?
do you have event forwarding setup to aggregate the security log in particular on a single system?
You can use splunk or potentially powershell, vbscript to pull these security events and populate a DAtabase that can then be queried or get a generalized report....
The DC sees the events, the workstations ....