Solved: Re: basic application usage tracking with active d... - Lansweeper Community

svap · ‎08-27-2015

hi

what i have here is an idea and i am 80% through with it.
but now i guess i need some report kung fu to have it like i need it.

because we dont have an agent todo software-metering with lansweeper we use active directories "advanced auditing" capabilities to write process creation and termination to the eventvwr security log.

Detailed Tracking
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:

Audit Process Creation
Audit Process Termination

enabled lansweeper eventlog scanning and inclusion of "Success audit" events in the settings.
so i have all the application starts and exits recorded in the lansweeper db.

what i want todo now, is to extend a report i have.
it compares via an active directory group, if visio/project ist installed and approved.
and there i want to add the information: if for example visio/project was started last week, month etc.

here is how the events look like on the webinterface

here is the report matching the defined softwares to active directory groups

did you guys already grep around in the assets eventlogs?
can somebody please help making this poor mans software metering happen?

thanks, peter

edit: added link/reference to technet advanced audit policy

Daniel_B · ‎08-27-2015

This will be a huge amount of data which you are regularly scanning. In general we don't recommend scanning of Information, Success Audit or Failure events if it is not required. Your database server must be quite performant to handle it, dependent on the size of your network. You certainly can build reports for scanned event log data. Please find an example report below. It only list events scanned during the last 7 days which include something about the MS Project executable. You can copy the subquery to your other report and test if it meets your requirements.


Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.IPAddress,
  tblAssets.Lastseen,
  tNTlogProject.Eventcode As [Project Event],
  tNTlogProject.Message As [Project Message],
  tNTlogProject.TimeGenerated [Project Time generated]
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Left Join (Select tblNtlog.AssetID,
    tblNtlog.Eventcode,
    tblNtlogMessage.Message,
    tblNtlog.TimeGenerated
  From tblNtlog
    Inner Join tblNtlogMessage On tblNtlog.MessageID = tblNtlogMessage.MessageID
  Where tblNtlog.Eventcode In (4689, 4688) And tblNtlogMessage.Message
    Like '%winproj.exe%' And tblNtlog.TimeGenerated > GetDate() -
    7) tNTlogProject On tNTlogProject.AssetID = tblAssets.AssetID
Where tblAssetCustom.State = 1
Order By [Project Time generated] Desc

Note: We don't currently scan software usage related data with Lansweeper. For this a scanning agent would be required on scanned computers. Until now Lansweeper is able to scan everything with or without agent in any size of network.

View solution in original post

svap · ‎08-27-2015

many thanks!

bigger and maybe slower DB, yeah true thats the downside

therefore an event filter would be neato.
like Xpath Query in Event Viewer to scan just those events which matter.

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[( (EventID >= 4688 and EventID <= 4689) )]]
and
*[EventData[Data and (Data='C:\Program Files (x86)\Microsoft Office\Office14\winproj.exe' )]]
or
*[EventData[Data and (Data='C:\Program Files\Microsoft Office\Office14\winproj.exe' )]]

or
*[EventData[Data and (Data='C:\Program Files (x86)\Microsoft Office\Office14\visio.exe' )]]

or
*[EventData[Data and (Data='C:\Program Files\Microsoft Office\Office14\visio.exe' )]]

</Select>
</Query>
</QueryList>

thinking also about a different way.
event log forwarding with Xpath Filter and scan just the logs of that machine = only relevant data.

Daniel_B · ‎08-27-2015

This will be a huge amount of data which you are regularly scanning. In general we don't recommend scanning of Information, Success Audit or Failure events if it is not required. Your database server must be quite performant to handle it, dependent on the size of your network. You certainly can build reports for scanned event log data. Please find an example report below. It only list events scanned during the last 7 days which include something about the MS Project executable. You can copy the subquery to your other report and test if it meets your requirements.


Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.IPAddress,
  tblAssets.Lastseen,
  tNTlogProject.Eventcode As [Project Event],
  tNTlogProject.Message As [Project Message],
  tNTlogProject.TimeGenerated [Project Time generated]
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Left Join (Select tblNtlog.AssetID,
    tblNtlog.Eventcode,
    tblNtlogMessage.Message,
    tblNtlog.TimeGenerated
  From tblNtlog
    Inner Join tblNtlogMessage On tblNtlog.MessageID = tblNtlogMessage.MessageID
  Where tblNtlog.Eventcode In (4689, 4688) And tblNtlogMessage.Message
    Like '%winproj.exe%' And tblNtlog.TimeGenerated > GetDate() -
    7) tNTlogProject On tNTlogProject.AssetID = tblAssets.AssetID
Where tblAssetCustom.State = 1
Order By [Project Time generated] Desc

Note: We don't currently scan software usage related data with Lansweeper. For this a scanning agent would be required on scanned computers. Until now Lansweeper is able to scan everything with or without agent in any size of network.

basic application usage tracking with active directory

General Discussions

New to Lansweeper?

Try Lansweeper For Free