Announcement

Collapse
No announcement yet.

Security Eventlog filter

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Eventlog filter

    We need to track the LogOn - LogOff times for a certain employee.
    (Yes, he has been doing bad things !
    How can I filter these events by LogonName ?

    (And if Steve Ballmer should happen to listen in on this thread -how come, knowing that more than 50% of all IT-criminal activity is done by inhouse employees, that such a simple question is so hard to get answers for ??)

    Peter HO

  • #2
    Re: Security Eventlog filter

    filter > by logonname ?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Security Eventlog filter

      Remember you need to check ALL your DCs as you do not know which one he authenticated against.

      Use EventCombMT to trawl through multiple logs
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Security Eventlog filter

        Originally posted by Ossian View Post
        Remember you need to check ALL your DCs as you do not know which one he authenticated against.

        Use EventCombMT to trawl through multiple logs

        Hi
        This is a SBS2008 server, so there is only 1 DC.
        I need a tool to filter only the Login's from the User CHF.
        Looking just at the EventLog, all UserID's are N/A, so You have to open all events to find the Userinformation.
        You can not do this operation by the ordinary filter.

        I,m looking for at simple tool to provide this filter.

        Comment


        • #5
          Re: Security Eventlog filter

          Sorry, Crystal Ball must have been on the blink re SBS (Although SBS does not have a problem with additional DCs)
          On regular Server 2008, Custom View lets you enter keywords, so presumably event text is searchable

          Thread moved to SBS forum.
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Security Eventlog filter

            Originally posted by PHO View Post
            Hi
            This is a SBS2008 server, so there is only 1 DC.
            Non sequitor!
            Just because YOU only have one DC does not mean that others have not.
            Popular misconception. There is no limit (other than the 75 users/devices) on the number of DCs that an SBS network can have!!
            Last edited by teiger; 30th July 2011, 14:03. Reason: Clarified
            TIA

            Steven Teiger [SBS-MVP(2003-2009)]
            http://www.wintra.co.il/
            sigpic
            Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

            We donít stop playing because we grow old, we grow old because we stop playing.

            Comment


            • #7
              Re: Security Eventlog filter

              Originally posted by teiger View Post
              Non sequitor!
              Just because YOU only have one DC does not mean that others have not.
              Popular misconception. There is no limit (other than the 75 users/devices) on the number of DCs that an SBS network can have!!

              Correct. The misconception is that there can be only one DC in an SBS domain but the the truth is that there can be multiple DC's in an SBS domain, BUT there can be only one SBS server in an SBS domain.

              Comment

              Working...
              X