This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

E-mail Eventlog Alert: User login

aingram
Engaged Sweeper

‎11-06-2018 04:25 PM

Morning Everyone,

I am trying to get a email eventlog alert together which triggers every time a specific list of users logs in. We have used eventlog alerts in the past, and the user logon report is working, so I know that it is successfully scanning the eventlog on the DC and that SMTP is configured properly.

I've figured that the event is Microsoft-Windows-Security-Auditing ID 4624, but can't seem to get it to go. My guess is that the "User" field is not right for this purpose - Anyone have any ideas of what I'm missing here?

Event = 4624
Source = Microsoft-Windows-Security-Auditing
User like .admin


Thanks in advance,
Tony

Labels:
0 Kudos
2 REPLIES 2
aingram
Engaged Sweeper

‎11-13-2018 05:38 PM

Thanks so much - I 'll take a crack at this.

Tony
0 Kudos
Esben_D
Lansweeper Employee
Lansweeper Employee

‎11-08-2018 05:33 PM

So you're using a email alert I presume?

Have you enabled success audit event scanning?

The loguser is not filled in on success audit events, however, in the message of the event log entry the account will be mentioned. The best thing to do is filter on the specific account name in the message of the event.

I quickly edited the default event log report so that it shows success audits only, I think with a bit of editing you can get what you need.

Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.IPAddress,
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tsysOS.OSname As OS,
  tblAssets.SP,
  tblAssets.Lastseen,
  tblAssets.Lasttried,
  tblNtlog.Eventcode,
  Case tblNtlog.Eventtype
    When 1 Then 'Error'
    When 2 Then 'Warning'
    When 3 Then 'Information'
    When 4 Then 'Security Audit Success'
    When 5 Then 'Security Audit Failure'
  End As EventType,
  tblNtlog.TimeGenerated,
  tblNtlogSource.Sourcename,
  tblNtlogFile.Logfile,
  tblNtlogUser.Loguser,
  tblNtlogMessage.Message
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tsysIPLocations On tsysIPLocations.LocationID =
    tblAssets.LocationID
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Inner Join tblNtlog On tblNtlog.AssetID = tblAssets.AssetID
  Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
  Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
    tblNtlog.SourcenameID
  Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
  Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where Case tblNtlog.Eventtype
    When 1 Then 'Error'
    When 2 Then 'Warning'
    When 3 Then 'Information'
    When 4 Then 'Security Audit Success'
    When 5 Then 'Security Audit Failure'
  End Like '%Audit%' And tblNtlog.TimeGenerated > GetDate() - 7 And
  tblState.Statename = 'Active'
Order By tblNtlog.TimeGenerated Desc,
  tblAssets.Domain,
  tblAssets.AssetName
0 Kudos

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now