→ Having trouble accessing our new support portal or creating a ticket? Please notify our team here

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ITGuy2016
Engaged Sweeper
Dear All,

Iam using lansweeper now for a couple weeks and its great but iam missing the following reports.
Is there a posibilety to request the following information:

Logon Failure Report
Last Logon on WorkStation
Logon Webmail (Exchange server)
Logon VPN
1 ACCEPTED SOLUTION
Nick_VDB
Champion Sweeper III
For the Logon Failure Report Lansweeper can scan the failure events but these are not scanned initially. Lansweeper only scans error events by default. You will need to go to Confirmation\Server Options and enable the 'Scan Failure events'. The report we added will look for the event code 4625 which is a logon failure as explained here.


The second report will give the last user that was on an AD machine at the time that a scan occurred. As for VPN and Exchange logins these are not currently scanned by Lansweeper.

Instructions for adding these reports to your Lansweeper installation can be found here. If you are interested in building or modifying reports, we do recommend:
  • Reviewing some SQL tutorials, as the Lansweeper report builder is a standard SQL editor. If you know SQL, you know how to build Lansweeper reports as well. This seems like a good tutorial.
  • Making use of our database dictionary, which explains in great detail what each database table and field stores. More information on the dictionary can be found here.


Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblNtlogSource.Sourcename
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblADComputers On tblAssets.AssetID = tblADComputers.AssetID
Where tblNtlog.Eventcode = 4625 And tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc





Select Top 1000000 SubQuery.Username,
SubQuery.Domain As Userdomain,
SubQuery.LastLogon,
tblAssets.AssetName,
tblAssets.Domain
From tblCPlogoninfo
Inner Join (Select Top 1000000 tblCPlogoninfo.Username,
tblCPlogoninfo.Domain,
Max(tblCPlogoninfo.logontime) As LastLogon
From tblCPlogoninfo
Group By tblCPlogoninfo.Username,
tblCPlogoninfo.Domain) SubQuery On tblCPlogoninfo.Username =
SubQuery.Username And tblCPlogoninfo.Domain = SubQuery.Domain And
tblCPlogoninfo.logontime = SubQuery.LastLogon
Inner Join tblAssets On tblAssets.AssetID = tblCPlogoninfo.AssetID
Inner Join tblADComputers On tblAssets.AssetID = tblADComputers.AssetID


View solution in original post

1 REPLY 1
Nick_VDB
Champion Sweeper III
For the Logon Failure Report Lansweeper can scan the failure events but these are not scanned initially. Lansweeper only scans error events by default. You will need to go to Confirmation\Server Options and enable the 'Scan Failure events'. The report we added will look for the event code 4625 which is a logon failure as explained here.


The second report will give the last user that was on an AD machine at the time that a scan occurred. As for VPN and Exchange logins these are not currently scanned by Lansweeper.

Instructions for adding these reports to your Lansweeper installation can be found here. If you are interested in building or modifying reports, we do recommend:
  • Reviewing some SQL tutorials, as the Lansweeper report builder is a standard SQL editor. If you know SQL, you know how to build Lansweeper reports as well. This seems like a good tutorial.
  • Making use of our database dictionary, which explains in great detail what each database table and field stores. More information on the dictionary can be found here.


Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblNtlogSource.Sourcename
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblADComputers On tblAssets.AssetID = tblADComputers.AssetID
Where tblNtlog.Eventcode = 4625 And tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc





Select Top 1000000 SubQuery.Username,
SubQuery.Domain As Userdomain,
SubQuery.LastLogon,
tblAssets.AssetName,
tblAssets.Domain
From tblCPlogoninfo
Inner Join (Select Top 1000000 tblCPlogoninfo.Username,
tblCPlogoninfo.Domain,
Max(tblCPlogoninfo.logontime) As LastLogon
From tblCPlogoninfo
Group By tblCPlogoninfo.Username,
tblCPlogoninfo.Domain) SubQuery On tblCPlogoninfo.Username =
SubQuery.Username And tblCPlogoninfo.Domain = SubQuery.Domain And
tblCPlogoninfo.logontime = SubQuery.LastLogon
Inner Join tblAssets On tblAssets.AssetID = tblCPlogoninfo.AssetID
Inner Join tblADComputers On tblAssets.AssetID = tblADComputers.AssetID