This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

nDepth Report for Interactive Logons

kelkin over 10 years ago

I've been trying for weeks to get an nDepth report created that shows ONLY interactive logons to servers by domain admins; it seems no matter what I do I get too little or too much data... I haven't been able to get a solution for this from LEM support either, so while we work on this I figured I'd try posting here to see if anyone has done anything similar and can offer any suggestions as to report logic.

To be clear, the goal is this: I want to know whenever any domain admin logs onto a server by RDP, physical server console, Citrix, etc..

I've been playing with some reports filtering them on:

User.Logon,DestinationAccount Contains Domain Admins

AND

UserLogon.LogonType = Windows: Interactive (this returns way too much)

and various other Windows logon types..but nothing is returning what I want to see. I'm sure someone else must have written similar reports, anyone have any suggestions?

-Keith

0 ram.esakky over 10 years ago
Hi kelkin,
If you just want to see everything related to a specific user, try this:
Open the LEM/SIM Console, and then log in as an administrator.
Click the Explore, and then select nDepth. This should show you all of your alerts for the past 10 minutes.
In the Refine Fields list on the left, find the user you're interested under User Name. If the user is not there, expand your search time frame.
Drag the username into the search bar.
Click Search (blue "play" button).
Expand the time frame of the search as necessary.
Follow the steps in here to export the results.
If you have any other questions please do feel free to ask. Thank you
Cancel
Vote Up 0 Vote Down

Cancel
0 kelkin over 10 years ago in reply to ram.esakky

Hi Ram,
Thanks, but that isn't what I'm looking for. I don't want to weed through tons of events for a specific user. I want to generate a report each month that shows ONLY logins for domain admins on all servers we monitor. What I'm looking for is the best logic to use for an nDepth report that I can run each month which captures only the events which indicate when a domain admin has logged on interactively to a server's desktop. I've gotten pretty close but not there yet.
-Keith
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 10 years ago in reply to kelkin
Honestly, it sounds to me like you ARE doing the right thing.
UserLogon.DestinationAccount = <username(s) you're interested in>
AND
UserLogon.LogonType = Windows: Interactive
Sample data includes "bubbajim" so that's what I've got here, and it did work as expected:
However, you should be aware that Windows interactive logons can also include "Remote Interactive" (RDP) and "Cached Interactive" (for when the logon is served with their cached creds instead of being sent on). For these purposes, you could search for:
UserLogon.DestinationAccount = <username(s) you're interested in>
AND
UserLogon.LogonType = *Interactive*
(The search turned orange in the search builder to argue with me about leading wildcards, but it did work as in returned expected results for both Windows: Interactive and Windows: Remote Interactive.)
Here's what will help us narrow down where this is coming up short:
Start with a specific user, one that's in an AD group you can test with like Domain Admins - search for: UserLogon.DestinationAccount = username
Verify that user has an "Interactive" type logon (or remote interactive/cached interactive, just verify it) in the timeframe you're searching, then add that to your search: UserLogon.DestinationAccount = username AND UserLogon.LogonType = Windows: Interactive
Assuming you see what you expect, broaden the search to use the AD group that contains that same user, rather than the username: UserLogon.DestinationAccount = <AD group with that username in it> AND UserLogon.LogonType = Windows: Interactive
Where does it stop working?
Cancel
Vote Up 0 Vote Down

Cancel
0 kelkin over 10 years ago in reply to FormerMember

Hi Nicole,
RDP and cached logins are fine, thats actually what I want to see but the problem is that logic is returning so many other events which aren't actually interactive logons... I did come up with report logic that seems to give me exactly what I was looking for. I'll post it here so other people can benefit from it as well. What I did was filter out what I *don't* want to see and the remaining data is pretty much perfect.. instead of 15,000 events for a day I get 120 which is much more realistic. The purpose of this report is to audit when system admins log onto a server's desktop, I don't care about mapping to network drives or other types of connectivity.
-Keith
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 10 years ago in reply to kelkin

Well, that's another good approach I'm not sure why the Interactive bits weren't working right, but this works.
Are you on 5.5 or 5.6?
Cancel
Vote Up 0 Vote Down

Cancel
0 kelkin over 10 years ago in reply to FormerMember

We're on 5.4 actually which is another problem, my report logic keeps getting corrupted so I have to modify my report every time before I run it since some of the logic gets modified on its own.
Thanks, yeah the approach I took was that since no one could tell me what I needed to include and I didnt' want to inadvertently miss anything, I'd rather report on everything and filter out what I know I don't want to see. Once in a while a new event pops up I don't care to see so I'll add it to the report logic to filter out.. so far it seems to be working great, I'm sure there's a more efficient way to do this I just haven't figured it out yet.
-Keith
Cancel
Vote Up 0 Vote Down

Cancel