Sometimes you may need to display who logons your server except for the authenticated domain users. It could be authenticated users from the trusted domain, local users, system services, etc. First, we define that we will filter the Security log by Event Id = 4624 (as we did before). The event description of this event looks like An account was successfully logged on. Subject: … Read More »
At the time, the US companies spend a total of $120 billion on printed forms annually, and each employee uses about 10,000 sheets of paper according to CompTIA. That’s why printer usage monitoring is very important to cut costs for printer supplies and their utilization. Another reason to know who and how uses corporate printers is to manage your resources and plan upgrades or downgrades… Read More »
Filtering events by description is one of the most asked questions to us. Some time ago I wrote an article devoted to this problem. Recently we had to check all events in the security log linked with a certain file (let’s say, it’s winword.exe, C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE). The easiest solution was to use Filter command and type file name in the “Text in description”… Read More »
When performing forensic analysis or system audit activities, you may want to track what programs ran on the investigated computers. Windows security auditing lets you enable process tracking and monitor process creation and process termination. To enable process auditing you should use Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc). You should configure Security Settings -> Audit Policy -> Audit Process Tracking or use… Read More »
In my article “Exploring who logged on the system“, I described how to add to the event list custom columns that display data from the event description. Probably you might think that adding custom columns works for Security event logs only. Although we initially designed Custom columns feature exactly for Security logs (and referred them by name, e.g. Subject\Account name), we made it possible to use… Read More »
A key instrument for event logs analysis is the function of event filtering. All known event log analysis tools have filtering feature, and I suppose, it is the most demanded feature of these applications. Setting filter for the most of event fields is easy. As a rule, all the event log applications let you filter by timeframe, event level, source, event IDs, users or computers… Read More »
You have probably heard that due to a date bug, it is easy to brick iPhone by changing its system date to Jan 1, 1970. If you are not aware of this issue, you may read it here. We found a very similar problem with event logging. Fortunately, nothing crashes, but the problem may stop a log from being loaded. Recently we received a bug… Read More »
One of the most important tasks in the security event log analysis is to find out who or what logs your system on. Here I will explain how Event Log Explorer helps you to solve this task. First, you need to make sure that Windows security auditing is enabled for logon events. You can do this using Local Security Policy or Group Policy, depending on… Read More »