Audit logon and logoff

TheMSsForum.com: The Microsoft Software Forum

I need to collect and keep login and logoff times for all staff on my
domain/network, I've searched around and found software that can do it bout
wondered if anyone had a free way to do this via scripts etc, microsoft must
have a central way to collect these events now?

Hopefully, let me know what you know :)

Thanks in advance
Top

RE: Audit logon and logoff by QuidnuncSimcha

QuidnuncSimcha
Mon Sep 11 01:24:01 CDT 2006

Hello,

I AM NOT an expert. I am not a CS major or minor.

Anyhow, I know this can be monitored via Group policy. I believe event 528
will be triiggered.

A shoot from the HIP.....command line scripts may take a bit longer to
execute. For this reason, maybe a simple ping command script upon log-on and
log-off could be used. When the user logs onto the machine or logs off the
machine, a simple ping script could ping your machine and "trigger" an event
that is recorded with the "NOW" and IP Address.

I suppose VB scripts would be "more stealth". The problem, ofcourse, would
be related to security.

Just a thought.

"Ziguana" wrote:

> I need to collect and keep login and logoff times for all staff on my
> domain/network, I've searched around and found software that can do it bout
> wondered if anyone had a free way to do this via scripts etc, microsoft must
> have a central way to collect these events now?
>
> Hopefully, let me know what you know :)
>
> Thanks in advance
Top

RE: Audit logon and logoff by QuidnuncSimcha

QuidnuncSimcha
Mon Sep 11 01:26:01 CDT 2006

Hello,

You could also use the automatic certificate request. From my very own help
and support file:

To create an automatic certificate request for computers in a Group Policy
object
Log on to a domain with administrative privileges to manage the Group Policy
object that you want to change.
Open the Group Policy object that you want to edit.
In the console tree, click Automatic Certificate Request Settings.
Where?

Policy Object Name
Computer Configuration
Windows Settings
Security Settings
Public Key Policies
Automatic Certificate Request Settings
On the Action menu, point to New, and then click Automatic Certificate
Request. This starts the Automatic Certificate Request Setup Wizard. Follow
the steps in the wizard to create an automatic certificate request for
computers that have this Group Policy object applied to them.
Notes

To open a Group Policy object, see Related Topics.
To use this procedure, you must have administrative privileges for the Group
Policy object.
This procedure does not apply to Local Policy objects.
To use the Automatic Certificate Request Setup Wizard, you need the
following information:
The certificate template that you want to use. A certificate that is based
on the selected template will be requested automatically at the first
occurrence of any of the following: a user logs on, Group Policy is
refreshed, or a computer joins the domain and is subject to a Group Policy
setting.
The name of the certification authority (CA) in your domain that will issue
the requested certificates. The CA must be an enterprise CA that is
configured by its administrator to issue the certificate type that is being
requested.
There can only be one certificate request for each certificate type per
Group Policy object.


"Ziguana" wrote:

> I need to collect and keep login and logoff times for all staff on my
> domain/network, I've searched around and found software that can do it bout
> wondered if anyone had a free way to do this via scripts etc, microsoft must
> have a central way to collect these events now?
>
> Hopefully, let me know what you know :)
>
> Thanks in advance
Top

Re: Audit logon and logoff by karl

karl
Tue Sep 12 07:58:50 CDT 2006


"Ziguana" <Ziguana@discussions.microsoft.com> wrote in message
news:3F743D1D-C798-42FF-BDC0-42C2CD9C89BB@microsoft.com...
>I need to collect and keep login and logoff times for all staff on my
> domain/network, I've searched around and found software that can do it
> bout
> wondered if anyone had a free way to do this via scripts etc, microsoft
> must
> have a central way to collect these events now?

Use Windows Auditing to monitor and detect logons and logoffs.

http://securityadmin.info/faq.asp?auditing

You can use batch files with tools such as dumpel from www.sysinternals.com
or from the Windows Resource Kit [some of which is available for free
download from www.microsoft.com] to automate monitoring of the event logs.
You could also use tools such as www.ipsentry.com which for
around $100 US will monitor and alert on changes in event logs.

The above method tries to monitor logs on all systems remotely, across the
network, without actually collecting the logs to a central location. This
can become intensive, especially on a large network. Alternatively, one
good way to centrally collect event logs is to use a free product called
SNARE. Basically, all clients get an agent that sends event log data to a
central syslog server. Snare is pretty well thought out, but if you prefer
to build your own solution, there are a number of free Windows event log to
syslog agents, such as NTSYSLOG. www.kiwisyslog.com is one free syslog
server to collect such events. Once the events are in the central syslog
server, it's up to you to set up any sort of filtering, reporting, alerting
etc. via the native syslog server functionality or your own scripts.

No doubt there are other solutions that let you centrally collect and
monitor Windows event logs.

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info




Top