Could somebody provide a rule-set to track users logging into their Windows box? I understand that the LogonType needs to include Windows Machine, but I do not see any logs of mine that do so. Everything is Windows Batch and Windows Network.
What are the prerequisites to manage something like this? Please let me know.
First of all confirm within the individual machines that your computers are currently logging successful user logons (this is not turned on by default in most Windows environments). The vast majority of times when people can't find a particular event in LEM I have them jump into the source directly to see if those events are there, and we find that they are not being logged to begin with, so LEM cannot know about them.
KB on audit policy settings for windows: Success Center
Agreed...you probably aren't actually logging the events on the system. Logon/Logoff is a pretty full proof event, so if it's not showing you probably aren't capturing the events. You can look in the event viewer and check the security logs as well.
One fallback to keep in mind is to use the event group "Any Alert" and you can see pretty quick all events that are getting captured.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.