Windows User Monitoring

Highlighted
05 Base Camper

Windows User Monitoring

Is there a way to show who is currently logged into a Windows server? Right now I have it set up to get alerts when a user logs on, but am looking for a realtime display of who is logged in.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Re: Windows User Monitoring

As you are aware and are probably already using the Windows events within Prognosis to monitor for the key login events.

"Windows Security Log Event ID 4624 which you can tie this event to logoff events 4634 and 4647 using Logon ID.. though I realize you are probably looking for the current users logged on.

 

The easiest way is to create a display using NTProcess, only include the field "username" and maybe "Busy %" and then do a Combine over the "Username" field and only show combined data. This will give you a list of all users logged in and running processes.. as if they are logged in they will be running 'something'.

image.png

 

Then you can filter out your service accounts for MSSQL, NTAUTHORITY, etc to get your users, usually the non-service accounts jump out like a sore thumb and you can flag them as such using a visual alert. 

 

image.png

 

Christopher

 

 

 


If my answer helped you today, please be sure to mark the resolved button to assist others.

Christopher R Souser - Sr. Services Solution Engineer, Payments & Infrastructure – MSci. PA, CISSP, ITIL.

View solution in original post

Highlighted

Re: Windows User Monitoring

Yes, super easy, have the node be "Entire Network" or the Nodegroup you desire. 

Then display the meta ".Nodename" in the display. 

 

image.png


If my answer helped you today, please be sure to mark the resolved button to assist others.

Christopher R Souser - Sr. Services Solution Engineer, Payments & Infrastructure – MSci. PA, CISSP, ITIL.

View solution in original post

4 REPLIES 4
Highlighted

Re: Windows User Monitoring

As you are aware and are probably already using the Windows events within Prognosis to monitor for the key login events.

"Windows Security Log Event ID 4624 which you can tie this event to logoff events 4634 and 4647 using Logon ID.. though I realize you are probably looking for the current users logged on.

 

The easiest way is to create a display using NTProcess, only include the field "username" and maybe "Busy %" and then do a Combine over the "Username" field and only show combined data. This will give you a list of all users logged in and running processes.. as if they are logged in they will be running 'something'.

image.png

 

Then you can filter out your service accounts for MSSQL, NTAUTHORITY, etc to get your users, usually the non-service accounts jump out like a sore thumb and you can flag them as such using a visual alert. 

 

image.png

 

Christopher

 

 

 


If my answer helped you today, please be sure to mark the resolved button to assist others.

Christopher R Souser - Sr. Services Solution Engineer, Payments & Infrastructure – MSci. PA, CISSP, ITIL.

View solution in original post

Highlighted
05 Base Camper

Re: Windows User Monitoring

Thank you Christopher. This is extremely helpful. Is there a way to have it say what server the user is logged into without doing separate displays per server? I'm trying to monitor 5 servers in one display.

Highlighted

Re: Windows User Monitoring

Yes, super easy, have the node be "Entire Network" or the Nodegroup you desire. 

Then display the meta ".Nodename" in the display. 

 

image.png


If my answer helped you today, please be sure to mark the resolved button to assist others.

Christopher R Souser - Sr. Services Solution Engineer, Payments & Infrastructure – MSci. PA, CISSP, ITIL.

View solution in original post

Highlighted
05 Base Camper

Re: Windows User Monitoring

Nailed it. Thank you sir.

Webinar: Top Ten Predictions in Retail Payments for 2020

Join IR, Celent and your peers as we discuss the top ten predictions for retail payments in 2020 and how evolving your payment solutions will help you stay ahead of your customers’ expectations ...

Join Webinar
Top Liked Members