RE: [ActiveDir] (l)user login auditing

[Kevin Sullivan]

The Aelita/Quest product is called Intrust. The reporter is ‘what is out there?’ Intrust is ‘what is going on out there?’.   Kevin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Wednesday, March 09, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] (l)user login auditing   Aelita (now Quest) had an app that would give you what I think you are looking for.  Even send the reports via e-mail.  I think it's been repackaged as Quest Reporter.  It uses a SQL database to aggregate and report on all the data.   Dave   //SIGNED// ------------------------------------------------ David J. Perdue Network Security Engineer, InDyne Inc  Comm: (805) 606-4597    DSN: 276-4597 ------------------------------------------------     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gideon Ashcraft Sent: Wednesday, March 09, 2005 07:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] (l)user login auditing Some fool mentioned to our HR department that we can track our employee’s work routines by auditing the login events to our DC’s instead of their supervisors actually doing work and tracking the work habits of their charges. So now I need to present reports to our illustrious HR department in terms they can understand (pretty pictures and colors with all the details washed out so they can grasp the picture). I started by enabling login successes in the default DC policy and was overwhelmed by a flood of events from login attempts and the constant flood of logins (20,000 security events/day) from our LANutil inventory (don’t ever use PC-Duo) software (originally setup wrong by helpdesk staff and currently locking the accounts of anyone associated with that deployment (I’m letting them suffer for the moment because they did it without asking for Domain Admin support).   Currently I am using a 60 day trial of GFI’s SELM log monitor to archive events (until my UNIX admin has the time to learn enough PROLOG to get Tivoli to mine our logs, or I learn how to use the free MS Log Parser to mine our DC’s) and I did a test login and logout on a test user account (all events associated with that user were cleaned prior to testing) and I found that logging in created 28 mixed login and logout events (including 538, 540, 673 events) on login but only 1 540 logON event during logOFF and 2 538 logoff events 12 and 41 minutes after logging out!!!   What I would really like to do is tell HR to &[EMAIL PROTECTED] Themselves and tell the supervisors to do a better job tracking their employees and spend my valuable time tracking events for critical System and application events instead of babysitting the incompetents. But unfortunately the powers that be wish to appease the HR beast rather than put it in its place, so I have to clean up the flood of login events into a form that they can understand.   Does anyone recommend any software suited to this purpose or can does anyone know of a simple query of events to pinpoint domain activity?   Gideon Ashcraft Network Administrator Screen Actors Guild