RE: [ActiveDir] (l)user login auditing

[Free, Bob]

Probably easisest to use logon/logoff scripts to populate a database than to try to grok through all the logs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gideon Ashcraft Sent: Wednesday, March 09, 2005 7:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] (l)user login auditing Some fool mentioned to our HR department that we can track our employee’s work routines by auditing the login events to our DC’s instead of their supervisors actually doing work and tracking the work habits of their charges. So now I need to present reports to our illustrious HR department in terms they can understand (pretty pictures and colors with all the details washed out so they can grasp the picture). I started by enabling login successes in the default DC policy and was overwhelmed by a flood of events from login attempts and the constant flood of logins (20,000 security events/day) from our LANutil inventory (don’t ever use PC-Duo) software (originally setup wrong by helpdesk staff and currently locking the accounts of anyone associated with that deployment (I’m letting them suffer for the moment because they did it without asking for Domain Admin support).   Currently I am using a 60 day trial of GFI’s SELM log monitor to archive events (until my UNIX admin has the time to learn enough PROLOG to get Tivoli to mine our logs, or I learn how to use the free MS Log Parser to mine our DC’s) and I did a test login and logout on a test user account (all events associated with that user were cleaned prior to testing) and I found that logging in created 28 mixed login and logout events (including 538, 540, 673 events) on login but only 1 540 logON event during logOFF and 2 538 logoff events 12 and 41 minutes after logging out!!!   What I would really like to do is tell HR to &[EMAIL PROTECTED] Themselves and tell the supervisors to do a better job tracking their employees and spend my valuable time tracking events for critical System and application events instead of babysitting the incompetents. But unfortunately the powers that be wish to appease the HR beast rather than put it in its place, so I have to clean up the flood of login events into a form that they can understand.   Does anyone recommend any software suited to this purpose or can does anyone know of a simple query of events to pinpoint domain activity?   Gideon Ashcraft Network Administrator Screen Actors Guild