contact@securehero.com
Facebook
Twitter
Google+
LinkedIn
YouTube
  • PRODUCTS
    • FILE SYSTEM AUDITOR
    • GROUP REPORTER
    • LOGON REPORTER
    • PERMISSION REPORTER
  • PRICING
  • SUPPORT
  • BLOG
  • ABOUT US
  • CONTACT

Logon Reporter – How we do it

October 29, 2014blogwp_admin

We already wrote what it takes to attempt tracking logons of real users using Security event log and native tools. After seeing a laundry list of caveats you might wonder how we solved them in Logon Reporter. So, here goes the uncut truth from the creators.

 

Prerequisites

First of all, lets talk about the pre-requisites.

Logon Reporter works in Active Directory domain environments only. Sorry folks, no stand alone servers or workgroups. Since it queries event logs on domain controllers it requires certain rights for its Management service.

The good news is that unlike our competition we do not need Domain Admin rights or even Local Admin rights on DCs. Just make sure that the service account is included in the Event Log Readers group in the domain where it operates.

Remote log queries

We do not install agents on every workstation and neither we “hack into” system critical processes on domain controllers making your system vulnerable to bugs in the 3rd party code and system updates. Instead we solely subscribe to Security event logs on domain controllers and try to make sense of the battery of events that get written in there every second.

Log queries happen remotely, so all you need to do is install our Management Service on one of the computers on the network and set up a list of DCs events will be queried from. Since users can log on via any DCs on the network it is recommended to set up a connection to every DCs in the monitored domain.

Picking up the right events

Here goes another prerequisite. Since we query the Security event log we expect certain events to be there. To be more specific, we rely on Account Logon Events that can be easily enabled via the Group Policy.

When you turn on this auditing policy and look into the Event Viewer on domain controllers you will see a lot of 4768 and 4769 events flooding the Security Log. Each of these events has something to do with users authenticating to resources on the network. But how do we convert them to user logons?

Smart correlation and filtering

This is where smart event correlation and filtering algorithms come into play. Logon Reporter uses a lot of rules and heuristics to distinguish events that pertain to logons of real users and assemble all the parts of the logon event you want to know about.

For example, we filter out all the “network logons” performed on behalf of the computer accounts that happen quite often when users start their desktops sessions. We also detect “Kerberos ticket refresh” and save you time on not worrying about those.

What is just as important is that we minimize the additional overhead we put on already loaded domain controllers by querying events in a bulk and assembling the true logon event on the outside not holding DCs back. 

Centralized embedded storage

Users can log on via any of domain controllers on the network, so you have to query all of them and consolidate the resulting set of events somewhere. Logon Reporter makes this super easy.  There are two things you will like about its storage.

First – it is a single instance storage that puts all of the events in one place and makes reporting a breath.

Second – it is an embedded database that gets silently installed on the same server where Management Service is. So, you don’t need to spend a penny on expensive SQL server licenses that other vendors make you do.

And don’t worry about the performance and capacity of this database. We filter out all the noise, remember? So, millions of events in our database will correspond to millions of logons from real users. Besides, it goes much further than that!

Interactive reporting tools

Lastly, you need to have convenient tools to analyze user logons that you captured. Luckily, Logon Reporter offers interactivity and ease of use you would expect.

At any point of time you can browse logon events in the interactive grid that offers instant filtering and sorting capabilities.

Queries take moments to execute and you don’t have to be an event log expert to grasp who was logging where on your network.

When you narrow the scope of your investigation down to the particular user and time frame or the originating workstation you can easily save resulting events into a csv file for further analysis in external tools of your choice.

And that’s it!

So, this has been an example of how easy solutions can be built for quite complex problems.

We built Logon Reporter to help you knock off one of the most common requests you get everyday – answering Who goes Where on your Active Directory based network.

So, go ahead and try Logon Reporter, download a free trial. Drop us a note to the support forum to let us know how we can make this product better!

Tags: event viewer, logon reporter, logon reporting, logon tracking, user auditing, user logons
Previous post How to track user logons with native Windows tools Next post File System Auditor released!

Related Articles

How to track user logons with native Windows tools

October 20, 2014wp_admin

Top 5 reasons why you need to track user logons

October 13, 2014wp_admin

Recent Posts

  • Simplicity, Scalability and Stability
  • New Product: Permission Reporter!
  • SecureHero Management Platform 2.0 Released
  • New product: Group Reporter!
  • Active Directory User and Group Reporting: Users with old passwords

Archives

  • October 2016
  • May 2016
  • November 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • February 2015
  • January 2015
  • October 2014
  • September 2014
  • July 2014
Facebook
Twitter
Google+
LinkedIn
YouTube

Recent Posts

  • Simplicity, Scalability and Stability
  • New Product: Permission Reporter!
  • SecureHero Management Platform 2.0 Released
home

Orange, CA 92866, US

mail

contact@securehero.com

PricingSupportPrivacy Policy
© 2017 SecureHero LLC