Solved: How can I search Windows security events to track ...

pateld · ‎05-17-2016

Hi

How can I use Window security events to track which admin users ("-admin") did log on or log off into our domain computer?

thanks

woodcock · ‎05-28-2016

First you need to build a list of Domain Controllers and save it as a lookup. Let's assume that you have done this and it has a single column/field called host and is in a lookup definition called DCs (pointing to a lookup file called anything you like). Then you can do this:

index=yourIndexHere "Account Name" = "*-admin*" (EventCode="538" OR EventCode="4634" OR EventCode="528" OR EventCode="540" OR EventCode="4624" OR EventCode="551" OR EventCode="4647") [|inputlookup DCs]

View solution in original post

woodcock · ‎05-28-2016

First you need to build a list of Domain Controllers and save it as a lookup. Let's assume that you have done this and it has a single column/field called host and is in a lookup definition called DCs (pointing to a lookup file called anything you like). Then you can do this:

index=yourIndexHere "Account Name" = "*-admin*" (EventCode="538" OR EventCode="4634" OR EventCode="528" OR EventCode="540" OR EventCode="4624" OR EventCode="551" OR EventCode="4647") [|inputlookup DCs]

How can I search Windows security events to track which admin users logged on or off our domain computer?

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms