• State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 14 subscribers
  • Views 6918 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Audit logon events

Alexandros Marioleas
over 5 years ago

Hello,

I would like to know if there is a way to use InTrust in order to have reporting for user logon. To my understanding the way to do it is to configure a gather of the security log either on the DCs or the servers and workstations or on all of them. Searching about this was confusing because i couldn't find a clear enough image on what i have to configure on the domain through gpo in order to audit the info username xxxxx logon to xxxxxx at xxxxxxx.

I understand that it is not so much of an InTrust question but more of an AD one but if someone have implemented this and can provide feedback it will be much appreciated.

Thank you.

Parents Reply
  • 0 over 5 years ago in reply to JohnnyQuest

    That is the problem. By enabling Audit Logon Events and Audit Account Logon Events you get a lot of event IDs such as 4624 or 4648 with hundreds of entries for each ID most of them useless because they are from system accounts or not showing a username. And i am struggling to understand if there is a way to get a nice report with users and when and where they have logged on.

Children
  • 0 over 5 years ago in reply to Alexandros Marioleas

    This is where the "science" of event reporting comes in.  You must go through an exercise of analyzing a "raw" list of returned events to come to an understanding of what is "normal" for your environment which will then help you to determine what events you consider to be of "high value" and which ones you can filter out of your reports.  It is an iterative process.  What are you planning to use to produce your reports?  - i.e. are you going to create a custom report in the Knowledge Portal or perhaps export data from the Repository Viewer?