We already wrote what it takes to attempt tracking logons of real users using Security event log and native tools. After seeing a laundry list of caveats you might wonder how we solved them in Logon Reporter. So, here goes the uncut truth from the creators.
First of all, lets talk about the pre-requisites.
Logon Reporter works in Active Directory domain environments only. Sorry folks, no stand alone servers or workgroups. Since it queries event logs on domain controllers it requires certain rights for its Management service.
The good news is that unlike our competition we do not need Domain Admin rights or even Local Admin rights on DCs. Just make sure that the service account is included in the Event Log Readers group in the domain where it operates.
Remote log queries
We do not install agents on every workstation and neither we “hack into” system critical processes on domain controllers making your system vulnerable to bugs in the 3rd party code and system updates. Instead we solely subscribe to Security event logs on domain controllers and try to make sense of the battery of events that get written in there every second.
Log queries happen remotely, so all you need to do is install our Management Service on one of the computers on the network and set up a list of DCs events will be queried from. Since users can log on via any DCs on the network it is recommended to set up a connection to every DCs in the monitored domain.
Picking up the right events
Here goes another prerequisite. Since we query the Security event log we expect certain events to be there. To be more specific, we rely on Account Logon Events that can be easily enabled via the Group Policy.
When you turn on this auditing policy and look into the Event Viewer on domain controllers you will see a lot of 4768 and 4769 events flooding the Security Log. Each of these events has something to do with users authenticating to resources on the network. But how do we convert them to user logons?
Smart correlation and filtering
This is where smart event correlation and filtering algorithms come into play. Logon Reporter uses a lot of rules and heuristics to distinguish events that pertain to logons of real users and assemble all the parts of the logon event you want to know about.
For example, we filter out all the “network logons” performed on behalf of the computer accounts that happen quite often when users start their desktops sessions. We also detect “Kerberos ticket refresh” and save you time on not worrying about those.
What is just as important is that we minimize the additional overhead we put on already loaded domain controllers by querying events in a bulk and assembling the true logon event on the outside not holding DCs back.
Centralized embedded storage
Users can log on via any of domain controllers on the network, so you have to query all of them and consolidate the resulting set of events somewhere. Logon Reporter makes this super easy. There are two things you will like about its storage.
First – it is a single instance storage that puts all of the events in one place and makes reporting a breath.
Second – it is an embedded database that gets silently installed on the same server where Management Service is. So, you don’t need to spend a penny on expensive SQL server licenses that other vendors make you do.
And don’t worry about the performance and capacity of this database. We filter out all the noise, remember? So, millions of events in our database will correspond to millions of logons from real users. Besides, it goes much further than that!
Interactive reporting tools
Lastly, you need to have convenient tools to analyze user logons that you captured. Luckily, Logon Reporter offers interactivity and ease of use you would expect.
At any point of time you can browse logon events in the interactive grid that offers instant filtering and sorting capabilities.
Queries take moments to execute and you don’t have to be an event log expert to grasp who was logging where on your network.
When you narrow the scope of your investigation down to the particular user and time frame or the originating workstation you can easily save resulting events into a csv file for further analysis in external tools of your choice.
And that’s it!
So, this has been an example of how easy solutions can be built for quite complex problems.
We built Logon Reporter to help you knock off one of the most common requests you get everyday – answering Who goes Where on your Active Directory based network.
So, go ahead and try Logon Reporter, download a free trial. Drop us a note to the support forum to let us know how we can make this product better!