zoukankan      html  css  js  c++  java
  • Logon Session Times

    How to Get User Logon Session Times from the Event Log


    To figure out user session time, you’ll first need to enable three advanced audit policies; Audit Logoff, Audit Logon and Audit Other Logon/Logoff Events.

    The combination of these three policies get you all of the typical logon/logoff events but also gets the workstation lock/unlock events and even RDP connect/disconnects. This ensures we get all of the session start/stop events.

    When these policies are enabled in a GPO and applied to a set of computers, a few different event IDs will begin to be generated.  They are:

    • Logon – 4624 (Security event log)
    • Logoff – 4647 (Security event log)
    • Startup – 6005 (System event log)
    • RDP Session Reconnect – 4778 (Security event log)
    • RDP Session Disconnect – 4779 (Security event log)
    • Locked – 4800 (Security event log)
    • Unlocked – 4801 (Security event log)

    You’ll notice the startup event. Why that one? The reason is because what if the computer’s power plug is pulled while a user is logged in? How will we know when that is. It’s not a perfect metric but it’s the only date/time we have to show when that happened.

    Once we’ve got all of the IDs put together, we’ll then need to match the session start event with the very next session end event. But what if there are multiple users logging into a computer? To differentiate we can use the Logon ID field.  This is a unique field for each logon session. If we can find a session start time and then look up through the event log for the next session stop time with the same Logon ID we’ve found that user’s total session time.


    In this instance, you can see that the LABAdministrator account had logged in (ID 4624) on 8/27/2015 at 5:28PM with a Logon ID of 0x146FF6. I then looked up through the event log at the subsequent messages until I found a session end event (ID 4634) that showed up with the same Logon ID at 5:30PM on the same day. Knowing this Logon ID, I was then able to deduce that the LABAdministrator account had been logged on for three minutes or so.

    This was just a quick demonstration of actual logon/logoff scenarios. You’ll find that when you review a computer in the “real world” you can’t always depend on logon/logoff events if you’d like to find user session durations. Multiple scenarios may come into play such as when a user locks her computer and comes back to unlock it. Perhaps she may lock her computer and the power gets cut. There will be no unlock event; only a startup event. These are the gotchas you need to watch out for to be able to accurately calculate user session history.

     

    参考博文:

  • 相关阅读:
    如何在Centos官网下载所需版本的Centos
    Zabbix微信告警
    CentOS 7.4 源码编译安装 Redis
    zabbix源码安装后,设置为服务启动和关闭
    MySQL 快速入门教程
    mysql解决 ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)的报错
    转:Centos7安装zabbix3.4超详细步骤解析
    centos7使用Gogs搭建Git服务器
    Centos7 使用firewall管理防火墙
    zabbix登录密码重置方法
  • 原文地址:https://www.cnblogs.com/thescentedpath/p/LogonSessionTimes.html
Copyright © 2011-2022 走看看