This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

windows server Audit system

Question
0

Sign in to vote

i enable this policy: audit policy for logon event.
My question is:
where can i found in domain controller event viewer the logs of my client?

I have 1 dc and 3 client, i want to know where the logon event are.

Please, help me!

Wednesday, May 24, 2017 2:31 PM

All replies

0

Sign in to vote

What policy did you enable and where?

Logon events are stored on the client in the "Security" log.

This is not really a scripting issue. It is a basic "how do I use Windows" issue.

\_(ツ)_/

Wednesday, May 24, 2017 2:37 PM
0

Sign in to vote

i want to extract this data with powershell directly from domain controller.
I would like to get data directly from domain controller for avoid invoke command (it is too slowly).
I enable this policy:
computerconfiguration\policies\windowssettings\securitysettings\policy\audit logon events

Please help me!

Wednesday, May 24, 2017 2:52 PM
1

Sign in to vote

Audit logon events is per system and only records local logons.

By default all logons are recorded on the DC that handled the logon and have to be extracted from each security log.

Look in the Gallery for examples.

\_(ツ)_/

Wednesday, May 24, 2017 3:16 PM
0

Sign in to vote

how can i extract this loc from domain controller?

Wednesday, May 24, 2017 4:20 PM
0

Sign in to vote

https://gallery.technet.microsoft.com/

\_(ツ)_/

Wednesday, May 24, 2017 5:07 PM
1

Sign in to vote
Event Logging and Viewing:
https://msdn.microsoft.com/en-us/library/bb726966.aspx

See examples of the events described in this article at the Security Log Encyclopedia:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

How to track user logon sessions using event log:
https://community.spiceworks.com/how_to/130398-how-to-track-user-logon-session-using-event-log

Track successful account logon using Windows Server auditing features:
https://community.spiceworks.com/how_to/128058-track-successful-account-logon-using-windows-server-auditing-features

Hope you find above information helpful.

Solutions for Active Directory to audit, monitor and manage.
- Proposed as answer by Hello_2018 Thursday, May 25, 2017 9:05 AM
Thursday, May 25, 2017 6:41 AM
0

Sign in to vote
how can i extract this loc from domain controller?

Get-WinEvent –FilterHashtable @{logname=’security’; level=2; starttime=$time; id=xxxx; providername=’Microsoft-Windows-WindowsUpdateClient’}

See these links:

https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/20/filtering-event-log-events-with-powershell/

https://blogs.technet.microsoft.com/heyscriptingguy/2014/06/03/use-filterhashtable-to-filter-event-log-with-powershell/

Best regards,

Andy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Hello_2018 Monday, June 5, 2017 3:01 AM
Thursday, May 25, 2017 9:12 AM