Twice in the last month I’ve been requested to determin the usage history of a user for client sites. Simply put, do you have a user that claims to worked a weekend or late night and you need to audit their history, or if someone is accessing items they should not. You could scan through event viewer manually, use some commercial or freeware tool but installing third party software may not be allowed or secure.
Enter EventCombMT, a windows utility now part of the Account Lockout and Management Tools available from Microsoft. As a stand alone tool you should have no problem with your company security administrator allowing usage, simply download, extract to a folder (temp or otherwise) and run.
So what can this handy little item do? Well it will search the event logs of any server (or desktop) accessible via IP, FQDN or on the Domain. You can specify time and date, handy for say looking for events over a weekend, keywords and event id(s).
Event ID(s) for tracking user logon and logoff:
512 / 4608 STARTUP
513 / 4609 SHUTDOWN
528 / 4624 LOGON
538 / 4634 LOGOFF
551 / 4647 BEGIN_LOGOFF
N/A / 4778 SESSION_RECONNECTED
N/A / 4779 SESSION_DISCONNECTED
N/A / 4800 WORKSTATION_LOCKED
* / 4801 WORKSTATION_UNLOCKED
N/A / 4802 SCREENSAVER_INVOKED
N/A / 4803 SCREENSAVER_DISMISSED
Let’s take a usage example, we want to find out if johndoe was working this weekend and are going to search all the servers, and his desktop for Logon (4624) and Logoff (4364) events, (keep in mind things like screen locking and screensavers are different Event IDs).
It will scan all the event logs, and save anything that contains “johndoe” with eventid 4624 or 4634 and write it out to a logfile with the computer name. Now instead of looking through thousands or millions of log files you have a nice set of audit logs containing exactly what you are looking for. Play around with it, feel free to comment on how you use the tool or if you have a better, simpler, faster, whatever solution please let us know.