Probably easisest to use logon/logoff scripts to populate a
database than to try to grok through all the logs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gideon Ashcraft Sent: Wednesday, March 09, 2005 7:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] (l)user login auditing Some fool mentioned to our HR
department that we can track our employee’s work routines by auditing the login
events to our DC’s instead of their supervisors actually doing work and tracking
the work habits of their charges. So now I need to present reports to our
illustrious HR department in terms they can understand (pretty pictures and
colors with all the details washed out so they can grasp the picture). I started
by enabling login successes in the default DC policy and was overwhelmed by a
flood of events from login attempts and the constant flood of logins (20,000
security events/day) from our LANutil inventory (don’t ever use PC-Duo) software
(originally setup wrong by helpdesk staff and currently locking the accounts of
anyone associated with that deployment (I’m letting them suffer for the moment
because they did it without asking for Domain Admin support).
Currently I am using a 60 day trial
of GFI’s SELM log monitor to archive events (until my UNIX admin has the time to
learn enough PROLOG to get Tivoli to mine our logs, or I learn how to use the
free MS Log Parser to mine our DC’s) and I did a test login and logout on a test
user account (all events associated with that user were cleaned prior to
testing) and I found that logging in created 28 mixed login and logout events
(including 538, 540, 673 events) on login but only 1 540 logON event during
logOFF and 2 538 logoff events 12 and 41 minutes after logging out!!!
What I would really like to do is
tell HR to &[EMAIL PROTECTED] Themselves and tell the supervisors to do a better job
tracking their employees and spend my valuable time tracking events for critical
System and application events instead of babysitting the incompetents. But
unfortunately the powers that be wish to appease the HR beast rather than put it
in its place, so I have to clean up the flood of login events into a form that
they can understand. Does anyone recommend any software
suited to this purpose or can does anyone know of a simple query of events to
pinpoint domain activity? Gideon
Ashcraft Network Administrator
Screen Actors
Guild |
- RE: [ActiveDir] (l)user login au... Free, Bob
- RE: [ActiveDir] (l)user log... Ruston, Neil
- Re: [ActiveDir] (l)user log... Paul Wilkinson
- RE: [ActiveDir] (l)user log... Perdue David J Contr InDyne/Enterprise IT
- RE: [ActiveDir] (l)user log... Kevin Sullivan
- RE: [ActiveDir] (l)user log... Gideon Ashcraft
- Re: [ActiveDir] (l)user... Paul Wilkinson
- RE: [ActiveDir] (l)user log... Thijssen, Andries \(Cognizant\)
- Re: [ActiveDir] (l)user... Paul Wilkinson
- RE: [ActiveDir] (l)user log... Ruston, Neil
- Re: [ActiveDir] (l)user log... Gideon Ashcraft