1. You need agents directly on those systems
2. Build a rule that looks for UserLogon.DetectionIP <server1> OR UserLogon.DetectionIP = <server2>, Use the action "Create Incident"
NOTE: You might need to refine the rule to only "interactive" logons (using LogonType) to filter out some noise, but you'll see as you build the rule.
3. Run the "Incident Report" daily
1. You need agents directly on these systems
2. Run the User Logon report
3. Filter the User Logon report by Detection IP is <server1> OR <server2> using the Select Expert
NOTE: You might need to refine the report to only "interactive" LogonType as well to filter out noise
4. Export that report to your Custom Reports directory and run it daily (it will remember the filtered criteria)
Thanks very much. that did the trick.!