- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pateld
Explorer
05-17-2016
11:09 AM
Hi
How can I use Window security events to track which admin users ("-admin") did log on or log off into our domain computer?
thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-28-2016
06:36 PM
First you need to build a list of Domain Controllers and save it as a lookup. Let's assume that you have done this and it has a single column/field called host and is in a lookup definition called DCs (pointing to a lookup file called anything you like). Then you can do this:
index=yourIndexHere "Account Name" = "*-admin*" (EventCode="538" OR EventCode="4634" OR EventCode="528" OR EventCode="540" OR EventCode="4624" OR EventCode="551" OR EventCode="4647") [|inputlookup DCs]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-28-2016
06:36 PM
First you need to build a list of Domain Controllers and save it as a lookup. Let's assume that you have done this and it has a single column/field called host and is in a lookup definition called DCs (pointing to a lookup file called anything you like). Then you can do this:
index=yourIndexHere "Account Name" = "*-admin*" (EventCode="538" OR EventCode="4634" OR EventCode="528" OR EventCode="540" OR EventCode="4624" OR EventCode="551" OR EventCode="4647") [|inputlookup DCs]
