How To Monitor Account Logon Events

There are many ways to monitor account logon events.  You can create a logon script to capture the information, use third-party free tools or use the built-in Windows logging system.  In this article, we will look at Microsoft’s built-in tools for monitoring, which are often lacking in scope and simplicity, but they are free and can get you the information you need.  In a domain environment, you can choose to monitor when users logon and are authenticated by a domain controller.  A policy can be set to audit successful or failed logon events. The logon event is logged in the domain controller’s security log.

There are several reasons why you would want to monitor logon events.  For starters, it keeps a record of the date and time an account was logged onto that can be referenced later in case questionable activities are detected on your network.  If the logs are correctly monitored, you may be able to prevent security breaches and learn from events to prevent them in the future.  A large numbers of unsuccessful logon attempts can indicate an attack on your network.

After enabling Logon Auditing, you will want to check your Security event log for the following Event IDs.

Event IDs to Monitor:

  • ID        Message
  • 4624    An account was successfully logged on (see figure 1)
  • 4625    An account failed to log on (see figure 2)
  • 4648    A logon was attempted using explicit credentials (See figure 3)

Figure 1
1

 

 

 

 

 

 

 

Figure 2
2

 

 

 

 

 

 

 

Figure 3
2

 

 

 

 

 

 

 

Enabling Logon Auditing

  • Open Group Policy Management and create a new GPO
  • Edit the GPO and browse to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies and click Audit Policy, then double click Audit account logon events. Be sure to check Success and Failure. (see figure 4)

Figure 4
4

 

 

 

 

 

 

Once you start auditing logon events, your security log will grow.  Make sure you have adequate space in the location where your log files are stored.  By default, the log will overwrite old events when it runs out of space.  You can change this option by right-clicking on the security log and choosing Properties.  From there, choose “Archive the log when full, do not overwrite events”. The option, “Do not overwrite events” requires you to manually delete log entries to prevent the disk from running out of space. You must be a member of the Administrators group to set the log retention policy. (See figure 5)

Figure 5
5

 

 

 

 

 

For more tools for IT systems monitoring check Netwrix top 7 free tools for IT professionals.