Audit Logon/Logoff events

[Michael]

I don't want to use Win2k Security Log file and to audit logon events I have
included in my logon script the following :

echo %username% %time% %date% %clientname% >>
\\servername\foldershared\logon.log

The problem is that every client have to write in that file and they can
modify it.

How can I resolve this problem ?

And how can I audit the Logoff events ?

Thanks

 

[Vera Noest [MVP]]

You can define a logoff script in your Local Policy, which also
runs the echo command.

The problem with write access is more difficult. Obviously, users
need the right to modify the file to be able to record their
logon.

It sounds to me as if you have a management and security problem
here, rather than a technical problem. If you really suspect your
users to erase their login information from this file, despite the
fact that they obviously have the right to start a TS session,
then there is more going on.

The echo command gives a list which is more easily readable than
the Security EventLog, I agree. But you could, let's say once a
month, export the logon and logoff events from the Security
EventLog to a tab-delimited textfile, and then do a quick
comparison with that months logon.log. You could easily automate
part of this proces in a script and with some Excel macros.
That would show you if users really are manipulating the logon.log
file. Would this work for you?

 

[Michael]

My goal is to have a simple list of user logon-logoff (username.
computername, date and time) because the Security EventLog is not easily
readable; I want to trace all the interactive sessions (logon from local
server, network logon from a pc, from a terminal server client, ...).
Is available a tool that do it ?

 

[Vera Noest [MVP]]

Yes, I understand exactly what you want, and have tried to give
you some alternatives.
Why is the echo-command still not enough for you? It seems to do
all what you want, both on logon and logoff. Have you read my
suggestions about your security problem? Again: would that work
for you?

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

 

[Michael]

This solution give me some problems :

- security problem : users can modify the log file and comparing the log
file with the security log file is not easy
- concurrent access problem : there are some problems when two o more users
login at the same time (the file is locked)

I am searching for a automatic tool that give me that information filtering
the security log file without do any manual and complex activities.

Thanks,
Michael


It sounds to me as if you have a management and security

 

[Vera Noest [MVP]]

OK, I see. There are numerous 3th party software packages out
there that do what you want, but most do much more and are costly.
All depends on how much you want to pay and how much manual work
you are willing to do to pay less.

Filtering of the EventLog and exporting the information can be
done for free, with nearly any freeware / shareware EventLog
management utility. The Windows 2000 Resource Kit contains a
number of utilities and scripts to automate this:

Windows 2000 Resource Kits - Tools
http://www.microsoft.com/windows2000/techinfo/reskit/default.asp#s
ection2

TechNet Script Center - Logs
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/scriptcenter/logs/default.asp

If you want total automation, you probably want to search for one
of the numerous user accounting management software, which tend to
cost a lot.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---