09-16-2016 07:40 AM
Solved! Go to Solution.
10-04-2016 07:56 PM
When Lansweeper scans a Windows computer, it automatically detects the currently logged on Windows user and adds a logon event for this user to the Lansweeper database. This information is stored in the tblcplogoninfo database table. We've included a sample report at the end of this email (report 1) that lists logon events detected for administrators on your Windows computers in the last 30 days. You can add a report like this to your Lansweeper installation by following these instructions.
You can report on failed logins by reporting on related Event Viewer entries on your Windows computers. We've included another sample report (report 2) at the end of this email that lists instances of two specific events detected on your Windows computers in the last 30 days. You can replace what we've highlighted in yellow with your own event IDs. A similar report can also be used to list the security events referenced at the end of your email. Keep in mind that:
- Lansweeper only scans error events by default. To enable scanning of additional event types, follow these instructions.
- As far as we know, failed logins are not logged in Event Viewer by default. You'll likely first need to enable logging of these events on your computers themselves. In the group policy editor of your computers, under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, you can edit the following policies to enable auditing: "Audit account logon events" and "Audit logon events".
The registry scanning feature in Lansweeper can only be used to scan specific registry values, not list all values in a registry key. However, information on which programs automatically start when a Windows computer is booted is automatically scanned by Lansweeper. We do not scan this information through the registry, but through WMI. WMI (Windows Management Instrumentation) is a framework built into Windows operating systems that stores system information. To build a report listing programs that are automatically started:
- Open the report builder under Reports\Create New Report.
- Double-click on tblAutorun and tblAutorunUni in the table list on the right to add the tables to your report.
- In the visual representation of the report in the upper section of the report builder, tick the fields in the tables that you would like to display.
- Give your report a title and hit Save & Run.
Report 1
Select Distinct Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.SP,
tblCPlogoninfo.Username,
tblCPlogoninfo.Domain As Userdomain,
tblCPlogoninfo.logontime
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblCPlogoninfo On tblAssets.AssetID = tblCPlogoninfo.AssetID
Inner Join tblUsersInGroup On tblUsersInGroup.AssetID = tblCPlogoninfo.AssetID
And tblUsersInGroup.Username = tblCPlogoninfo.Username And
tblUsersInGroup.Domainname = tblCPlogoninfo.Domain
Where tblCPlogoninfo.logontime > GetDate() - 30 And tblUsersInGroup.Admingroup = 1
Order By tblCPlogoninfo.logontime Desc
Report 2Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.SP,
tblNtlog.Eventcode,
Case tblNtlog.Eventtype When 1 Then 'Error' When 2 Then 'Warning'
When 3 Then 'Information' When 4 Then 'Success Audit'
When 5 Then 'Failure Audit' End As Type,
tblNtlog.TimeGenerated,
tblNtlogFile.Logfile,
tblNtlogMessage.Message,
tblNtlogSource.Sourcename,
tblNtlogUser.Loguser
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
Where tblNtlog.Eventcode In (1000, 1001 ) And tblNtlog.TimeGenerated > GetDate() - 30
Order By tblNtlog.TimeGenerated Desc
10-04-2016 07:56 PM
When Lansweeper scans a Windows computer, it automatically detects the currently logged on Windows user and adds a logon event for this user to the Lansweeper database. This information is stored in the tblcplogoninfo database table. We've included a sample report at the end of this email (report 1) that lists logon events detected for administrators on your Windows computers in the last 30 days. You can add a report like this to your Lansweeper installation by following these instructions.
You can report on failed logins by reporting on related Event Viewer entries on your Windows computers. We've included another sample report (report 2) at the end of this email that lists instances of two specific events detected on your Windows computers in the last 30 days. You can replace what we've highlighted in yellow with your own event IDs. A similar report can also be used to list the security events referenced at the end of your email. Keep in mind that:
- Lansweeper only scans error events by default. To enable scanning of additional event types, follow these instructions.
- As far as we know, failed logins are not logged in Event Viewer by default. You'll likely first need to enable logging of these events on your computers themselves. In the group policy editor of your computers, under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, you can edit the following policies to enable auditing: "Audit account logon events" and "Audit logon events".
The registry scanning feature in Lansweeper can only be used to scan specific registry values, not list all values in a registry key. However, information on which programs automatically start when a Windows computer is booted is automatically scanned by Lansweeper. We do not scan this information through the registry, but through WMI. WMI (Windows Management Instrumentation) is a framework built into Windows operating systems that stores system information. To build a report listing programs that are automatically started:
- Open the report builder under Reports\Create New Report.
- Double-click on tblAutorun and tblAutorunUni in the table list on the right to add the tables to your report.
- In the visual representation of the report in the upper section of the report builder, tick the fields in the tables that you would like to display.
- Give your report a title and hit Save & Run.
Report 1
Select Distinct Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.SP,
tblCPlogoninfo.Username,
tblCPlogoninfo.Domain As Userdomain,
tblCPlogoninfo.logontime
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblCPlogoninfo On tblAssets.AssetID = tblCPlogoninfo.AssetID
Inner Join tblUsersInGroup On tblUsersInGroup.AssetID = tblCPlogoninfo.AssetID
And tblUsersInGroup.Username = tblCPlogoninfo.Username And
tblUsersInGroup.Domainname = tblCPlogoninfo.Domain
Where tblCPlogoninfo.logontime > GetDate() - 30 And tblUsersInGroup.Admingroup = 1
Order By tblCPlogoninfo.logontime Desc
Report 2Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.SP,
tblNtlog.Eventcode,
Case tblNtlog.Eventtype When 1 Then 'Error' When 2 Then 'Warning'
When 3 Then 'Information' When 4 Then 'Success Audit'
When 5 Then 'Failure Audit' End As Type,
tblNtlog.TimeGenerated,
tblNtlogFile.Logfile,
tblNtlogMessage.Message,
tblNtlogSource.Sourcename,
tblNtlogUser.Loguser
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
Where tblNtlog.Eventcode In (1000, 1001 ) And tblNtlog.TimeGenerated > GetDate() - 30
Order By tblNtlog.TimeGenerated Desc
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now