cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
aingram
Engaged Sweeper
Morning Everyone,

I am trying to get a email eventlog alert together which triggers every time a specific list of users logs in. We have used eventlog alerts in the past, and the user logon report is working, so I know that it is successfully scanning the eventlog on the DC and that SMTP is configured properly.

I've figured that the event is Microsoft-Windows-Security-Auditing ID 4624, but can't seem to get it to go. My guess is that the "User" field is not right for this purpose - Anyone have any ideas of what I'm missing here?

Event = 4624
Source = Microsoft-Windows-Security-Auditing
User like .admin


Thanks in advance,
Tony

2 REPLIES 2
aingram
Engaged Sweeper
Thanks so much - I 'll take a crack at this.

Tony
Esben_D
Lansweeper Employee
Lansweeper Employee
So you're using a email alert I presume?

Have you enabled success audit event scanning?

The loguser is not filled in on success audit events, however, in the message of the event log entry the account will be mentioned. The best thing to do is filter on the specific account name in the message of the event.

I quickly edited the default event log report so that it shows success audits only, I think with a bit of editing you can get what you need.

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
tblAssets.Lastseen,
tblAssets.Lasttried,
tblNtlog.Eventcode,
Case tblNtlog.Eventtype
When 1 Then 'Error'
When 2 Then 'Warning'
When 3 Then 'Information'
When 4 Then 'Security Audit Success'
When 5 Then 'Security Audit Failure'
End As EventType,
tblNtlog.TimeGenerated,
tblNtlogSource.Sourcename,
tblNtlogFile.Logfile,
tblNtlogUser.Loguser,
tblNtlogMessage.Message
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblNtlog On tblNtlog.AssetID = tblAssets.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where Case tblNtlog.Eventtype
When 1 Then 'Error'
When 2 Then 'Warning'
When 3 Then 'Information'
When 4 Then 'Security Audit Success'
When 5 Then 'Security Audit Failure'
End Like '%Audit%' And tblNtlog.TimeGenerated > GetDate() - 7 And
tblState.Statename = 'Active'
Order By tblNtlog.TimeGenerated Desc,
tblAssets.Domain,
tblAssets.AssetName