Report on Priveleged User Logons

RobertMcD · ‎09-18-2015

Hi,

This may have been answered before but I cannot find any recent posts for it. We are scanning the audit logs of servers and I am wanting to report on when and who logged onto a server with a privileged account.

Daniel_B · ‎09-28-2015

After enabling logon auditing on computers in your network and enabling the scan of Audit success and Audit Failure events on your Lansweeper web console under Configuration\Server options, section Eventlog scanning, the following report lists logon events with special privileges:


Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.IPAddress,
  tsysOS.OSname,
  tsysOS.Image As icon,
  tblNtlog.Eventcode,
  tblNtlog.TimeGenerated,
  tblNtlogFile.Logfile,
  tblNtlogSource.Sourcename,
  tblNtlogMessage.Message
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
  Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
  Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
    tblNtlog.SourcenameID
  Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
  Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Where tblNtlog.Eventcode = 4672 And tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc

View solution in original post

Daniel_B · ‎09-28-2015

After enabling logon auditing on computers in your network and enabling the scan of Audit success and Audit Failure events on your Lansweeper web console under Configuration\Server options, section Eventlog scanning, the following report lists logon events with special privileges:


Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.IPAddress,
  tsysOS.OSname,
  tsysOS.Image As icon,
  tblNtlog.Eventcode,
  tblNtlog.TimeGenerated,
  tblNtlogFile.Logfile,
  tblNtlogSource.Sourcename,
  tblNtlogMessage.Message
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
  Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
  Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
    tblNtlog.SourcenameID
  Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
  Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Where tblNtlog.Eventcode = 4672 And tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc

Report on Priveleged User Logons

New to Lansweeper?

Try Lansweeper For Free