General discussion


Audit only Interactive Logon/Logoff

By andersonlee ·
Is there anyway or software which can be used to Audit only Interactive Logon/Logoff to my domain, as I do not want to track the others like network & service usage.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Audit only Interactive Logon/Logoff

by Joseph Moore In reply to Audit only Interactive Lo ...

Here is the definition from Technet article Q140714:

"Here are the Event IDs and type designations for the most common log on and log off events:

Interactive logon Event ID 528 Type 2
Interactive logoff Event ID 538 Type 2
Network logon Event ID 528 Type 3
Net Use connection Event ID 528 Type 3
Network logoff Event ID 538 Type 3
Net use disconnection Event ID 538 Type 3
Autodisconnect Event ID 538 Type 3"

So, you need to check your Security logs for Event IDs 528 & 538 Type 2. Those are the Interactive logon/logoff records.
Now, you can see the Type only in the Details section of the individual records. You can't build a filter to see this, though. Filters cannot work for data in the Description field.
So, you can export the Security log data using a tool like ELOGDMP.EXE from the Resource Kit. YOu could then pull the exported log into Excel or another spread sheet program, filter and sort it, and get the data.

Personally, I use a tool called IPMonitor which can, among other things, scan a remote Security log (or any other Event Viewer log), look for a specific Event ID number, and check for a certain text string in the Description box. So with IPMonitor, I could check the Security log every 3 mintues for Event ID 528 with "Logon Type: 2", and generate an event (NET SEND popup box, e-mail alert, SNMP trap, etc).

hope this helps

Collapse -

Audit only Interactive Logon/Logoff

by andersonlee In reply to Audit only Interactive Lo ...

Anyway I can audit only the actual time users logon & logoff the network/domain without all the others like network connection. This applies to only the local LAN.

Or is there any third party software for NT4.0 that can perform this particular task.

Please help as I need this urgently

Related Discussions

Related Forums