2 Replies Latest reply on Apr 29, 2013 10:29 AM by oleo

    Capture network logon

    oleo

      I need to capture when users log into their workstations every day. I am able to log interactive logons (which i think is when the agent is installed). So I am able to see the activity for when the user logs on to a machine that has the agent enabled.Audit logon events on GPU is enabled but i dont see any activity in LEM.

       

      Any ideas?

        • Re: Capture network logon
          nicole pauls

          To capture the interactive logon, you do need an agent on their workstation, and the audit account logon audit policies enabled on that system. If you're seeing it in the event log and there's an agent installed, just make sure you also have the right security log connector enabled (it will try to choose the right one on install).

           

          If you can't have an agent on the workstation, you might have to monitor your DCs for their network logons, but these will happen pretty much constantly while they are logged in, so we might have to do something like refine the timeframe or build clever lists that try to track their first logon time. Might be some manual labor involved with that route.

           

          If you're going the agent route, are you seeing the interactive logons in the security log on those systems themselves? (If not, probably a policy issue.)

           

          If you're seeing them in the security log, we can troubleshoot and figure out the LEM side.