Announcement

Collapse
No announcement yet.

Audit - Event Viewer - logon/logoff - Filter by User?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Audit - Event Viewer - logon/logoff - Filter by User?

    HI all,

    Goal - audit user logons & logoffs. I enable auditing at the domain level. I go to the OU with the computer object of the user I want to audit and set it to audit "account logon events" and "logon events" for success.

    I check the security logs on the local PC (win7) and I can see multiple logon and logoffs. I can see the "account name" for the user I am looking for - so auditing is working.

    Q - when I go to filter the log for just that user - no matter what I seem to put in the filter - I get ZERO results. Even though I can see that it is - in fact - there.

    So what I am doing wrong? In 2003 server I could do a filter in seconds but something is missing with this.

    Should I export the log as a .csv and use excel to do a filter?

    So - if anyone has the proper way to do do this - audit an individual logon & logoff and then filter it to just a particular user - it would be greatly appreciated.

    Rob

  • #2
    Re: Audit - Event Viewer - logon/logoff - Filter by User?

    Hello. There are literally hundreds of tutorials/posts on a website called google.com about this. Just search for.
    How to track users logon/logoff 2008
    I have included some logon/logoff scripts that will write a txt file to a network share and you can check them from there.

    Name: Log On.bat

    rem The following line creates a rolling log file of usage by workstation
    echo Log In %Date% %TIME% %USERNAME% >> \\servername\Logs\Computer\%COMPUTERNAME%.log

    rem The following line creates a rolling log file of usage by user
    echo Log In %Date% %TIME% %COMPUTERNAME% >> \\servername\Logs\User\%USERNAME%.log

    Name: Log Off.bat

    rem The following line creates a rolling log file of usage by workstation
    echo Log Off %Date% %TIME% %USERNAME% >> \\servername\Logs\Computer\%COMPUTERNAME%.log

    rem The following line creates a rolling log file of usage by user
    echo Log Off %Date% %TIME% %COMPUTERNAME% >> \\servername\Logs\User\%USERNAME%.log

    Here are some other links with useful info.
    http://support.microsoft.com/kb/556015
    http://itowns.blogspot.co.uk/2011/06...tivity-in.html
    http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
    Please remember to award reputation points if you have received good advice.
    I do tend to think 'outside the box' so others may not always share the same views.

    MCITP -W7,
    MCSA+Messaging, CCENT, ICND2 slowly getting around to.

    Comment


    • #3
      Re: Audit - Event Viewer - logon/logoff - Filter by User?

      Thanks. I did check google. I was trying to use the existing logs instead of making another whole batch of logs.

      I should have been clearer - I want to use existing auditing/logs and be able to filter to the user I need info on.

      Rob

      Comment


      • #4
        Re: Audit - Event Viewer - logon/logoff - Filter by User?

        One more Q - how well do these batch files handle shutdowns without logoffs? (the user simply shuts off the PC - no shut down - just hits the power button).

        Rob

        Comment


        • #5
          Re: Audit - Event Viewer - logon/logoff - Filter by User?

          Hi, I would implement the logon/logoff scripts i mentioned above at least in a test environment. I have set this up and it comes in handy lots of times.
          A shutdown is a logoff so if you have a logoff script configured it always will write user/computer/date/time to the configured directory. If the machine lost power then it wouldn't run any logoff scripts, you would most likely see something written to the local system event log file about the system having a unexpected shutdown.

          The other links you requested are:
          Advanced Security Audit Policy Settings
          http://technet.microsoft.com/en-us/l...=ws.10%29.aspx
          Audit Logon
          http://technet.microsoft.com/en-us/l...=ws.10%29.aspx
          Audit Logoff
          http://technet.microsoft.com/en-us/l...21(WS.10).aspx
          Last edited by uk_network; 21st May 2013, 22:30.
          Please remember to award reputation points if you have received good advice.
          I do tend to think 'outside the box' so others may not always share the same views.

          MCITP -W7,
          MCSA+Messaging, CCENT, ICND2 slowly getting around to.

          Comment


          • #6
            Re: Audit - Event Viewer - logon/logoff - Filter by User?

            Hi - I tested this over the last few days. What I did: I created the logon/logoff scripts as above and applied it to an OU full of users.

            After a few days the share is full of logs. However there is one piece of weirdness - the user I am interested in does not show up in the logs - no entry whatsoever. I go to a DC and check event viewer - this user has been logged on and off since 5/22. Multiple entries in event viewer.

            I double check - other users in the same OU are showing up in the new logs perfectly. I have over a 100 users showing up in the new logs but the one I have to check.

            Would OWA logon/logoffs show up in these new logs?

            Any theories why a user wouldn't show up in the new logs?

            Thanks,
            Rob

            Comment

            Working...
            X