Getting Data In
Highlighted

How can I search Windows security events to track which admin users logged on or off our domain computer?

New Member

Hi

How can I use Window security events to track which admin users ("-admin") did log on or log off into our domain computer?

thanks

0 Karma
Highlighted

Re: How can I search Windows security events to track which admin users logged on or off our domain computer?

Esteemed Legend

First you need to build a list of Domain Controllers and save it as a lookup. Let's assume that you have done this and it has a single column/field called host and is in a lookup definition called DCs (pointing to a lookup file called anything you like). Then you can do this:

index=yourIndexHere "Account Name" = "*-admin*" (EventCode="538" OR EventCode="4634" OR EventCode="528" OR EventCode="540" OR EventCode="4624" OR EventCode="551" OR EventCode="4647") [|inputlookup DCs] 

View solution in original post

0 Karma