cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Tracking User Logons to the Windows Machine

Hello,

Could somebody provide a rule-set to track users logging into their Windows box? I understand that the LogonType needs to include Windows Machine, but I do not see any logs of mine that do so. Everything is Windows Batch and Windows Network.

What are the prerequisites to manage something like this? Please let me know.

Thank you,

Nickolas

0 Kudos
2 Replies

First of all confirm within the individual machines that your computers are currently logging successful user logons (this is not turned on by default in most Windows environments).  The vast majority of times when people can't find a particular event in LEM I have them jump into the source directly to see if those events are there, and we find that they are not being logged to begin with, so LEM cannot know about them.

KB on audit policy settings for windows: Success Center

- Marc Netterfield, Github

Agreed...you probably aren't actually logging the events on the system. Logon/Logoff is a pretty full proof event, so if it's not showing you probably aren't capturing the events. You can look in the event viewer and check the security logs as well.

One fallback to keep in mind is to use the event group "Any Alert" and you can see pretty quick all events that are getting captured.