2 Replies Latest reply on Nov 7, 2014 10:12 AM by alaskan

    user logon tracking


      So I would like to know if i can do the following with SLEM and the SLEM reporting..


      I'd like to create a custom rule to track user logons for some specific servers.

      Then i'd like to also create a report off this that can be run daily.

      Is this possible? If so how?




      I have two windows servers I need to do this on.

      Both are running windows server 2012.

      One is a web-server and the other is a terminal server.

      We are using slem 6.0.1

        • Re: user logon tracking
          nicole pauls

          Two ways:

          1. You need agents directly on those systems

          2. Build a rule that looks for UserLogon.DetectionIP <server1> OR UserLogon.DetectionIP = <server2>, Use the action "Create Incident"

          NOTE: You might need to refine the rule to only "interactive" logons (using LogonType) to filter out some noise, but you'll see as you build the rule.

          3. Run the "Incident Report" daily



          1. You need agents directly on these systems

          2. Run the User Logon report

          3. Filter the User Logon report by Detection IP is <server1> OR <server2> using the Select Expert

          NOTE: You might need to refine the report to only "interactive" LogonType as well to filter out noise

          4. Export that report to your Custom Reports directory and run it daily (it will remember the filtered criteria)