The answer is with SCOM, using the event alert feature.
When you do a login in Windows 2008 or higher and the audit is running an event with id 4624 is created in the security log of the machine.
So first step to create the alert / monitor is to enable the audit.
You have to add new group policy with the audit enabled in the OU of the computers that you want to monitor, in this image you can see highlighted what you need.
As always you can force the policy update with gpupdate /force.
If you have any doubt about what any of the options means, here is a good explanation about the differences between Audit Logon Events and Audit Account Logon Events.
Now, when a user does a login in the system, the event 4624 is going to be written in the local machine event log, as you can see in the following image.
With this data, you can make the event monitor, as you know, you have to start at the Authoring screen in the main SCOM dashboard, Management Pack Objects, Monitors.
These attached images show you how to setup the monitor step by step.
SubjectUserSid S-1-5-18 <-- 1
SubjectUserName XXXXX <-- 2
SubjectDomainName XXXX <-- 3
SubjectLogonId 0x3e7 <-- 4
TargetUserSid S-1-5-21-XXXX <-- 5
TargetUserName XXXXX <-- 6
TargetDomainName XXX <-- N
TargetLogonId XXXXX <-- N+1
LogonType 10
LogonProcessName User32
AuthenticationPackageName Negotiate
WorkstationName XXXXXX
LogonGuid {XXXXXXXX}
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x36f8
ProcessName C:\Windows\System32\winlogon.exe
IpAddress XXXXX
IpPort XXXXXX
There are alternatives to do this, for example, you can use Logparser to count the parameters, doing something like this:
Logparser.exe "select top 1 Strings AS Parameters FROM security where EventID=4624"
Finally, you need to know what all fields on the event mean, you can check it here.
No comments:
Post a Comment