Too many Logon/Logoff security log entries

[Guest]

I’ve been asked to modify what DC’s audit to make it easier to identify user
logon and logoff events. I only need data/times for logging on/off
workstations for documenting when employees start and end their work day. I
do not need to log every authentication event every time the employee
accesses a network resource. Based on the articles I’ve read, “Audit Logon
Events†in the Default DC Policy seems to be the events I’m looking for;
however even with all other audit policies being undefined I still get
multiple events every minute (one event every 1 – 5 seconds) in the security
log. I built a test domain (Windows 2000 – native) consisting of one DC and
one workstation. The default domain policy’s audit entries are all set to
“Not defined†and the default domain controllers policy’s “Audit logon
events†is set to record “success†events. There are no other GPO’s. How
can I further reduce logged events to be more concise?

 

[Danny Sanders]

I only need data/times for logging on/off

workstations for documenting when employees start and end their work day.

That would be best accomplished with time cards.

There is no way the computer can distinguish whether a particular logon is
"the beginning of a user's day" or connecting to a resource.

hth
DDS W 2k MVP MCSE

 

[Guest]

Would you say the same is true for when user's lock their workstations (local
security logs are easy to read, but I need a central log)?

 

[Steven L Umbach]

Unfortunately it is not ant easy task to find logon/logoff in a domain.
First off "account logon" events only records logons and you need to enable
"logon events" to find logoffs which would then only be recorded on the
domain computer that the user is logging off of and not the domain
controller. I suggest that for Domain Controller Security Policy that
auditing of "account logon" events be enabled for success and failure and
that logon events be enabled for failure only and disable for success. For
Domain Security Policy enable auditing of logon events for success and
failure. Then you can find an account logon event in the security log of the
domain controller that authenticated the user. If you need to know when they
logged off of their computer you will have to check the security log of
their computer for the logoff event for their user account. Also keep in
mind that type 2 logons are for interactive logon to the computer while you
will see a lot of type 3 logons generated for network logons such as when a
user accesses a share on a computer.

If you audit logon events for domain controllers then all the
users/computer access of the sysvol share, which is normal for Group Policy
and such and be frequent, will be recorded. You will still see a bunch of
account logon events recorded on domain controllers when that is enabled.
Since the domain controller is the Kerberos Distribution Center there will
be multiple events recorded for users and computers and that is unavoidable.
The best you can do is to use "filter" view of the security log via it's
properties, use the free Event Comb from Microsoft, use command line tools
such as the free PsLogList from SysInternals to dump and filter the output,
or use a third patty tool such as the one from the LanGuard folks called
S.E.L.M. to make it easier to find pertinent info in your security
gs. --- Steve

 

[Jordan]

I think the only way you are going to narrow down when a users logs in and
out of the network as close to real a possible would be to use Crystal
Reports or something that can analyze the event log.

You could create a report that groups by user the logon times /logoff times
and at the bottom show MIN logon and MAX logoff time for each day. Hide the
details and that should give you when the user logged in, and if they
actually logged off clean it should give you the logoff time. This off
course does not account for when they logged off for lunch or if they went
home for a nap.

 

[Guest]

I'll look at these tools. Thank you for your detailed response.