2 Replies Latest reply on Nov 20, 2014 9:46 AM by tcrutchley

    Auditing Windows scheduled tasks run using LEM Agent

    garrethcoleman

      Hi all,

       

      I am curious if anyone has been able to audit windows scheduled tasks running on a windows server where they have deployed the agent and if so, how they can determine the user account used to run the task?

       

      Many thanks,

      Garreth

        • Re: Auditing Windows scheduled tasks run using LEM Agent
          curtisi

          Garreth,

           

          It looks like those events are logged under Event Viewer\Applications and Services Logs\Microsoft\Windows\TaskScheduler\Operational.  The LEM has connectors for the big Windows logs: System, Security and Application.  We don't have a connector for these Applications and Services logs, though I've seen more than a few people requesting to read from one or more of them.  I think this is a good case for the "Build Your Own Connector" feature, since it's not really possible for us to keep up with all the logs that might be under Applications and Services Logs.

           

          I can't find any of these events in the big 3 logs, so I don't think we can currently make the LEM read them.  Looking at the event, the user running the task is listed, so the event contains what you want.

           

          2014-03-13 09_39_48-Event Viewer.png

            • Re: Auditing Windows scheduled tasks run using LEM Agent
              tcrutchley

              I see that SolarWinds has added a new connector for this (Operating Systems: Microsoft Windows Task Scheduler).  Yesterday (11/19/2014) I added this connector to a Win 2K8 server and executed schtasks.exe to create a new task (event id: 106). The event can be seen under event viewer on the server itself however; it appears the SW Agent is not sending it to the LEM.