Today, our customer asks us how we can know when the Administrator has logon via terminal server on Windows Server on their Domain.
The answer is with SCOM, using the event alert feature.
When you do a login in Windows 2008 or higher and the audit is running an event with id 4624 is created in the security log of the machine.
So first step to create the alert / monitor is to enable the audit.
You have to add new group policy with the audit enabled in the OU of the computers that you want to monitor, in this image you can see highlighted what
As always you can force the policy update with gpupdate /force.
If you have any doubt about what any of the options means, here is
a good explanation about the differences between Audit Logon Events and Audit Account Logon Events.
Now, when a user does a login in the system, the event 4624 is going to be written in the local machine event log, as you can see in the following image.
With this data, you can make the event monitor, as you know, you have to start at the Authoring screen in the main SCOM dashboard, Management Pack Objects,
These inserted images show you how to set up the monitor step-by-step.
The question here is, how can I know which is the number of the parameter? It is easier than you can expect, just count line by line the text that appears
in the details of the event 4624, for example:
SubjectUserSid S-1-5-18 <-- 1
SubjectUserName XXXXX <-- 2
SubjectDomainName XXXX <-- 3
SubjectLogonId 0x3e7 <-- 4
TargetUserSid S-1-5-21-XXXX <-- 5
TargetUserName XXXXX <-- 6
TargetDomainName XXX <-- N
TargetLogonId XXXXX <-- N+1
There are alternatives to do this, for example, you can use Logparser to count the parameters, doing something like this:
Logparser.exe "select top 1 Strings AS Parameters FROM security where EventID=4624"
Finally, you need to know what all fields on the event mean, you can check it here.