This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
→ 🚀Are you a Lansweeper Champion?! Join our Contributor Program Sign up here!
Community FAQ
Register | Log In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- General Discussions
- E-mail Eventlog Alert: User login
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-06-2018 04:25 PM
Morning Everyone,
I am trying to get a email eventlog alert together which triggers every time a specific list of users logs in. We have used eventlog alerts in the past, and the user logon report is working, so I know that it is successfully scanning the eventlog on the DC and that SMTP is configured properly.
I've figured that the event is Microsoft-Windows-Security-Auditing ID 4624, but can't seem to get it to go. My guess is that the "User" field is not right for this purpose - Anyone have any ideas of what I'm missing here?
Event = 4624
Source = Microsoft-Windows-Security-Auditing
User like .admin
Thanks in advance,
Tony
I am trying to get a email eventlog alert together which triggers every time a specific list of users logs in. We have used eventlog alerts in the past, and the user logon report is working, so I know that it is successfully scanning the eventlog on the DC and that SMTP is configured properly.
I've figured that the event is Microsoft-Windows-Security-Auditing ID 4624, but can't seem to get it to go. My guess is that the "User" field is not right for this purpose - Anyone have any ideas of what I'm missing here?
Event = 4624
Source = Microsoft-Windows-Security-Auditing
User like .admin
Thanks in advance,
Tony
Labels:
- Labels:
-
General Discussion
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-13-2018 05:38 PM
Thanks so much - I 'll take a crack at this.
Tony
Tony
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-08-2018 05:33 PM
So you're using a email alert I presume?
Have you enabled success audit event scanning?
The loguser is not filled in on success audit events, however, in the message of the event log entry the account will be mentioned. The best thing to do is filter on the specific account name in the message of the event.
I quickly edited the default event log report so that it shows success audits only, I think with a bit of editing you can get what you need.
Have you enabled success audit event scanning?
The loguser is not filled in on success audit events, however, in the message of the event log entry the account will be mentioned. The best thing to do is filter on the specific account name in the message of the event.
I quickly edited the default event log report so that it shows success audits only, I think with a bit of editing you can get what you need.
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
tblAssets.Lastseen,
tblAssets.Lasttried,
tblNtlog.Eventcode,
Case tblNtlog.Eventtype
When 1 Then 'Error'
When 2 Then 'Warning'
When 3 Then 'Information'
When 4 Then 'Security Audit Success'
When 5 Then 'Security Audit Failure'
End As EventType,
tblNtlog.TimeGenerated,
tblNtlogSource.Sourcename,
tblNtlogFile.Logfile,
tblNtlogUser.Loguser,
tblNtlogMessage.Message
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblNtlog On tblNtlog.AssetID = tblAssets.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where Case tblNtlog.Eventtype
When 1 Then 'Error'
When 2 Then 'Warning'
When 3 Then 'Information'
When 4 Then 'Security Audit Success'
When 5 Then 'Security Audit Failure'
End Like '%Audit%' And tblNtlog.TimeGenerated > GetDate() - 7 And
tblState.Statename = 'Active'
Order By tblNtlog.TimeGenerated Desc,
tblAssets.Domain,
tblAssets.AssetName
General Discussions
Find answers to technical questions about Lansweeper.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Adding filters to eventlog alerts: is it possible to have several computer names in one event filter in General Discussions
- Lansweeper attempts egregious number of logins in General Discussions
- Update to V. 7.2.107.4 in General Discussions
- Failed login attempts grouped by computer in Reports & Analytics
