立即与支持人员聊天
与支持团队交流

Change Auditor for Logon Activity 7.2 - User Guide

User Logon Activity Searches/Reports

Introduction

You can run built-in searches to retrieve user logon activity captured by deployed Change Auditor server and workstation agents. In addition, you can create custom queries to search for specific user logon activities that need to be tracked in your environment.

 

Built-in logon activity searches

To see a complete list of built-in reports, see the Change Auditor Built-in Reports Reference Guide.

Running the All Logons in the Past 24 hours search will retrieve the all user logon activities for monitored servers and workstations.

2
Expand and select the Shared | Built-in | Logon Activity folder to display the built-in searches available.
3
In the right-hand pane, locate the All Logons in the Past 24 hours search and use one of the following methods to run the selected search:
Select the search definition and click the Run tool bar button at the top of the Searches page

Create custom user logon activity searches

This search captures both successful and failed logon attempts from a remote computer on the network.

Select the Private folder to create a search that only you can run and view. Select the Shared folder to create a search which can be run and viewed by all Change Auditor users.
3
Click New.
5
Open the What tab, expand Add and select Subsystem | Logons.
6
On the Add Logons dialog, select Network, click Add to add it to the selection list, and click OK.
7
Click Run to save and run the newly created search.

This search captures logon events that contain the specified failure reason or status code.

Select the Private folder to create a search that only you can run and view. Select the Shared folder to create a search which can be run and viewed by all Change Auditor users.
3
Click New.
5
Open the What tab, expand Add and select Subsystem | Logons.
NOTE: Alternatively, you can use Add with Events | Subsystem | Logons to select an entry that already has an event in the database.
7
Click to enable the Logon Failure Reason filter, select the comparison operator to use (Like or Not Like) and enter the description. You can also use the wildcard character * for a partial search.
Click to enable the Logon Status Code filter, select the comparison operator to use (Equals or Does not equal) and enter the code.
8
Click Add to add the filter, Remove to remove a filter, or Update to apply a change to the filter, then click OK.
9
Click Run to save and run the newly created search.

This scenario uses the Runtime Prompt options to create a generic search definition where you can then specify the user and time interval each time you run the search.

Select the Private folder to create a search that only you can run and view. Select the Shared folder to create a search which can be run and viewed by all Change Auditor users.
3
Click New.
5
Open the Who tab and select Runtime Prompt to specify the user to be audited each time you run this search.
6
Open the What tab, expand Add and select Subsystem | Logons.
7
On the Add Logons dialog, select each logon type and click Add. (You will need to add each logon type individually). Click OK to save your selections and close the dialog.
8
Open the When tab and select Runtime Prompt to specify the time interval each time you run this search.
9
Select Run to save and run the search.
10
Since you selected the Runtime Prompt options on both the Who tab and When tab, you will be prompted to specify the user who’s logon activity you want to audit and the time interval to be searched:
On the Select Active Directory Objects dialog, use the Browse or Search pages to locate one or more users. Click Add to add the selected user to the list at the bottom of the page. Click Select to save your selection and close the dialog.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级