Using Logon/Logoff Tracking

Email Notifications (Step 7 of 8)

Manually creating a logon or logoff filter

Instead of being notified any time a logon event is logged, you will probably only want to be notified of certain logon and logoff events. If your filters are too general (= match too many events), then you will probably get more information than you really want, even on a small network.

In our example we will only want to be notified when certain circumstances are met. To provide an example we will create a filter that will send an email alert when the user account testadmin logs on through the console (this means by hitting CTRL+ALT+DEL on a computer).

Creating a Package

It is always a good idea to stay organized, for this reason we will create a new filter package and call it Logon/Logoff.

Creating a Filter

We will then create a filter called TestAdmin Console Logon and specify our email target.

Depending on what you would like to monitor the filter text may vary. In our example, the filter will forward all events with the username testadmin and logon type 2 which is an interactive logon to a computer.

Assigning the Package

Now that the filter has been configured we will want to make sure that the package is assigned to the correct groups. The screenshot below shows the package being assigned to all groups with the exception of the "Heartbeat Group".