cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
RobertMcD
Engaged Sweeper
Hi,

This may have been answered before but I cannot find any recent posts for it. We are scanning the audit logs of servers and I am wanting to report on when and who logged onto a server with a privileged account.
1 ACCEPTED SOLUTION
Daniel_B
Lansweeper Alumni
After enabling logon auditing on computers in your network and enabling the scan of Audit success and Audit Failure events on your Lansweeper web console under Configuration\Server options, section Eventlog scanning, the following report lists logon events with special privileges:

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.IPAddress,
tsysOS.OSname,
tsysOS.Image As icon,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogFile.Logfile,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Where tblNtlog.Eventcode = 4672 And tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc

View solution in original post

1 REPLY 1
Daniel_B
Lansweeper Alumni
After enabling logon auditing on computers in your network and enabling the scan of Audit success and Audit Failure events on your Lansweeper web console under Configuration\Server options, section Eventlog scanning, the following report lists logon events with special privileges:

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.IPAddress,
tsysOS.OSname,
tsysOS.Image As icon,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogFile.Logfile,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Where tblNtlog.Eventcode = 4672 And tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc