Hi all,
I am curious if anyone has been able to audit windows scheduled tasks running on a windows server where they have deployed the agent and if so, how they can determine the user account used to run the task?
Many thanks,
Garreth
Hi all,
I am curious if anyone has been able to audit windows scheduled tasks running on a windows server where they have deployed the agent and if so, how they can determine the user account used to run the task?
Many thanks,
Garreth
Garreth,
It looks like those events are logged under Event Viewer\Applications and Services Logs\Microsoft\Windows\TaskScheduler\Operational. The LEM has connectors for the big Windows logs: System, Security and Application. We don't have a connector for these Applications and Services logs, though I've seen more than a few people requesting to read from one or more of them. I think this is a good case for the "Build Your Own Connector" feature, since it's not really possible for us to keep up with all the logs that might be under Applications and Services Logs.
I can't find any of these events in the big 3 logs, so I don't think we can currently make the LEM read them. Looking at the event, the user running the task is listed, so the event contains what you want.
I see that SolarWinds has added a new connector for this (Operating Systems: Microsoft Windows Task Scheduler). Yesterday (11/19/2014) I added this connector to a Win 2K8 server and executed schtasks.exe to create a new task (event id: 106). The event can be seen under event viewer on the server itself however; it appears the SW Agent is not sending it to the LEM.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.