Is it possible to create Solarwinds panel with information who login/logout, when, and when used wrong password ?
How can I get these information about users ? Do I need an agent on domain controller?
No not exactly. SCM uses its own lightweight agent or agentless in some cases only to track configuration baselines on the servers you choose to monitor. You do not need SCM agents on DCs just for login events, because SCM does not collect those events
SolarWinds strongly recommends installing the SEM Agent on every DC. And you need to be using SEM or SAM for this not SCM.
SCM is designed specifically for tracking configuration changes on servers and applications files, registry keys, IIS settings, software inventory, hardware inventory, scripts, etc. It shows who made a configuration change, when, and what was changed but it does not monitor or collect general Windows Security event logs.
If you want to use a custom SWQL Resource you can use this query. FIlling in the user names is optional in the case statement.
--Users that have logged in in the last 24 hours
SELECT tolocal(TimeLoggedUtc) AS [Last Login],CASE WHEN AccountID LIKE 'Domain\User1' THEN 'Joe Smith' WHEN AccountID LIKE 'Domain\User2' THEN 'Henry Watts' WHEN AccountID LIKE 'Domain\User3' THEN 'Todd Macey' ELSE AccountIDEND AS [Name] , AuditEventMessage FROM Orion.AuditingEvents AS AE WHERE daydiff(timeloggedutc ,getutcdate())<1 AND AE.AuditingActionType.ActionType = 'Orion.UserLogin' AND AccountID NOT LIKE '%_system%' AND AccountID NOT LIKE '%websitemaintenance_user%' ORDER BY TimeLoggedUtc DESC
This is for failed logins.
--Failed Logins
SELECT TOP 100 AuditEventID,ToLocal(TimeLoggedUtc)AS LocalTime,--AccountID,CASE WHEN AccountID LIKE 'Domain\user1' THEN 'Users Real Name1' WHEN AccountID LIKE 'Domain\user2' THEN 'Users Real Name2' WHEN AccountID LIKE 'Domain\user3' THEN 'Users Real Name3' ELSE AccountIDEND AS [Name], AuditEventMessageFROM Orion.AuditingEventsWhere AuditEventMessage like '%unsuccessful attempt to login%' ORDER BY TimeLoggedUTC DESC
Yes, it is possible to create a custom dashboard panel or view in SolarWinds that shows who logged in/logged out, when, and failed login attempts: wrong password. This uses built-in features in SAM by pulling Windows Security event logs from your domain controllers.
The key Windows events are:
You can display these in a clean table or widget on a custom dashboard, with columns for username, timestamp, event type, source IP/computer, logon type, and failure reason.
Thanks for your answer.
I figured out that I can use tags with user's login/logout/failed and event ID, but we have few Domain Controllers. Users are not logged into only one.
Does it mean we need to install agents to every DC that can authenticate user ?
Can we implement collecting these logs and retrieve reports with Observability Self-Hosted Advanced Enterprise Licence ?
@bobmarley thanks for help, it works.
