Record User Logon/Logoff with Computer Name + Username

[Guest]

We're running a Windows 2000 server to which many workstations logon
throughout the day. The boss would like a record of all remote access
successes with a record of the a)incoming computer name, b)username c)logon
time and logoff time.

I have been attempting to run a record through the Event Viewer and have:

1)Been able to successfully record "Account Logon Events" (672) but these
only give me the username that logged on and the time of initial logon.
Additionally, to get the information I have to look at the "properties" of
each event...as the user is inherently "SYSTEM" when listed in the main Event
Log.
This Method is missing: Incoming Computer Name, Logoff Time.

2)Been able to successfully record network Logon/Logoff events (540, 538),
though these occur in the thousands (yesterday there were about 18000 of
these events) and provide me with virtually no useful information (a logoff
occurs virtually simultaneously with a logon when you compare ticket ids).
Additionally, though a username is recorded...there is no computer name or
reliable way to track times.

It is my understanding that the Security Event Viewer is meant to record
things like Account Logons and Logoffs...but nothing seems to be working.

For a short while, I managed to get 682/683 events whenever we tested a VPN
access...though those events aren't directly related to a remote access, they
did record a username and computer name and time of logon. However...it
seems getting these events to show up was more of an accident than an actual
recurring and reliable event.

I am desperate for help. Answer needed:

1)Username and Computer logged on and Time
2)Username and Computer logged off and Time

That's all I need. Can it really be that difficult...heh...(it apparently
is for me...)

 

[YAKETYAK]

google security templates..
NIST has some, NSA and Microsoft has some too depending on your needs.
Try these..

http://www.windowsecurity.com/articles/Understanding-Windows-Security-Templates.html

http://csrc.nist.gov/itsec/download_W2Kpro.html

http://csrc.nist.gov/itsec/guidance_W2Kpro.html

http://www.sans.org/resources/policies/

http://www.nsa.gov/forms/site_search_action.cfm

We're running a Windows 2000 server to which many workstations logon
throughout the day. The boss would like a record of all remote access
successes with a record of the a)incoming computer name, b)username c)logon
time and logoff time.

I have been attempting to run a record through the Event Viewer and have:

1)Been able to successfully record "Account Logon Events" (672) but these
only give me the username that logged on and the time of initial logon.
Additionally, to get the information I have to look at the "properties" of
each event...as the user is inherently "SYSTEM" when listed in the main Event
Log.
This Method is missing: Incoming Computer Name, Logoff Time.

2)Been able to successfully record network Logon/Logoff events (540, 538),
though these occur in the thousands (yesterday there were about 18000 of
these events) and provide me with virtually no useful information (a logoff
occurs virtually simultaneously with a logon when you compare ticket ids).
Additionally, though a username is recorded...there is no computer name or
reliable way to track times.

It is my understanding that the Security Event Viewer is meant to record
things like Account Logons and Logoffs...but nothing seems to be working.

For a short while, I managed to get 682/683 events whenever we tested a VPN
access...though those events aren't directly related to a remote access,they
did record a username and computer name and time of logon. However...it
seems getting these events to show up was more of an accident than an actual
recurring and reliable event.

I am desperate for help. Answer needed:

1)Username and Computer logged on and Time
2)Username and Computer logged off and Time

That's all I need. Can it really be that difficult...heh...(it apparently
is for me...)

9/11
Never Forget

 

[Guest]

Thank you for the info...however, I was unable to find anything that worked
on the links provided...and several of them stated specifically to not try
the templates on Win2000 Servers (which is what I'm running on).

I will continue to try to work with the system...does anyone else have any
ideas?

 

[super pippo]

What I do is to collect the information I need at logon and logoff time
using the script below.
This scripts writes to the client's event viewer.
You can rather easily modify it to write to a text file in a network
location or even a sql database.

Set sho = CreateObject("Wscript.Shell")
set sysi = createobject("ADSystemInfo")
strUser=sysi.UserName
strComputer = sysi.ComputerName
set objUser=GetObject("LDAP://" & strUser)
sho.LogEvent 4,"User " & objUser.samaccountName & " has logged on at "
& now & " from " & ComputerName

Hope this helps.

 

[Steven L Umbach]

Your experience is pretty much the way it is. Logon events will be
particularly numerous for a domain controllers as users and computers access
sysvol, etc. Your boss may need to evaluate again exactly what he needs and
the time he is willing to invest in it. While auditing logon successes can
be helpful often it is the logon failures that give more valuable
information from a security perspective. You may find the free tool Event
Comb helpful from Microsoft in looking for specific events and text strings
and also take a look at third party programs that help make more sense of
the security logs such as the one from the Languard folks called SELM that
you can try for free. --- Steve

http://www.gfi.com/lanselm/ --- SELM
http://www.microsoft.com/technet/se...ndmonitoring/securitymonitoring/smpgch02.mspx
--- info on auditing including link to Event Comb.