Console Logon Tracking will record all logon activity (interactive logon's and terminal services logon's) in a central database and is intended to monitor logon usage on workstations and servers. The collected information can be queried through the web reports to obtain information such as
•Which user logged on to which computer
•How long the user was logged on
•Accumulative information such as how long a user was logged on over the course of a time period
Requirements
This feature works by intercepting Audit Success events that are written to the security event log when Audit Logon Events is enabled in the Local Security Policy of the monitored host. As such, some requirements need to be met before logon tracking can function properly. Please see Requirements for details.
|
Windows records logon and logoff activity only on the host where the user is actually logging in. If you intend to monitor logon's and logoff's of all users in a domain environment, then you will have to install the EventSentry agent on all computers where users can log on, including all workstations. You will not be able to track all logon and logoff activity just by installing the EventSentry on the domain controller(s). This is not a limitation of EventSentry, but of Windows itself. |
Collected Data
EventSentry will collect the following logon information on all supported Windows platforms:
Field |
Description |
Logon Type |
"Console" or "Terminal Services" |
Logon ID |
A unique hexadecimal number identifying the logon on the machine |
Computer |
The computer where the user logged on |
Group |
The group the computer is a member of |
Username |
Username of user who logged on/off |
Domain |
Domain (or computer name) of user who logged on/off |
Logon Privileges |
Whether user is local administrator |
Login Date / Time |
Date and time when the user logged on |
Logoff Date / Time |
Date and time when the user logged off |
Duration |
The amount of time the user was logged on |
Privacy
Since collecting logon information does track a users activity to some extend, you will still need to make sure that collecting this information does not interfere or violate any corporate policies or laws in place.
Configuration
Tracking All Users (with exceptions)
Select "Track all users except those listed below" to monitor all logon's. To exclude users click the + button and specify the username or part of the username to exclude.
Tracking only selected Users
Select "Only track users listed below" and click the + button to add users that should be tracked to the list.
Track only administrative user logons
When checked, only tracks a console logon if the user logging on is part of the local "Administrators" group - either directly or through nested group membership.
Enabling Logon Tracking in the OS
Since logon tracking needs to be enabled in the Operating System you can configure the agent to active it automatically if it isn't already activated. Please see requirements for more information.
Database
Select a database action where the logon data should be stored.
RDP Gateway Servers
When utilizing RDP gateway servers, EventSentry can report the actual remote IP address of the client connecting through the gateway server. Resolving IP addresses requires the following:
1. The "Microsoft-Windows-TerminalServices-Gateway" event log is monitored on the RDP gateway server and events are written to the same, collector-enabled database that console tracking is using.
2. The collector is enabled
If the above prerequisites are met then the "Remote IP" address column in the Console report should show the actual IP address of the remote client initiating the RDP connection, and not the IP address of the RDP gateway server.
