Table of Contents
- Getting Started
- Agent-Based Monitoring
- Data Providers
- Directory Services
- Auditing
- Hosts
- Templates
- Template Properties
- Batch Update Templates
- Log Management Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- Account Lockout Monitor Template
- Logon Monitor Template
- CPU Monitor Template
- Memory Monitor Template
- Disk Space Monitor Template
- SMART Monitor Template
- Process Monitor Template
- Service Monitor Template
- Performance Counter Monitor Template
- PowerShell Script Template
- Registry Value Monitor Template
- Active Directory User Monitor Template
- Active Directory User Integrity Monitor Template
- Task Scheduler Template
- Clock Synchronization Template
- Defragment NTFS Disks Template
- Network and Application Monitor Templates
- Database Monitor Template
- Directory Service Monitor Template
- DNS Blacklist Monitor Template
- DNS Monitor Template
- Domain Expiration Monitor Template
- Network Speed Monitor Template
- Ping Monitor Template
- Database Table Reseed
- SQL Server Shrink and Backup Template
- SSH Shell
- TCP Port Scan Monitor Template
- Website Monitor Template
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Monitors
- Reports
- Auto-Configurators
- Filters
- Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- PowerShell Actions
- Report Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template Actions
- IIS IP Address Restriction Actions
- Action Variables
- Schedules
- Environment Variables
- Options
- Account Lockout Monitoring and Reporting
- Merging Logs
- SNMP
- SSH Shell
- Exporting and Importing Configuration Objects
- Shared Views
- Auto-Config Host Assignment Properties
- General Executable Properties
- Assign Actions
- Assign Directories
- Assign Disks
- Assign Shares
- Assign Files
- Assign Consolidated Logs
- Assign Event Logs
- Assign Azure Audit Logs
- Target Files and Sub-Directories
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Define CSV and W3C Log Entry Columns
- Active Directory User and Group Filters
- Explicitly Assigned Logs
- File Explorer
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Executable Timeline
- Command Line Interface
- Troubleshooting
- Terminology
Logon Sessions Report
Logon Session Reporting is the process of scanning Windows Event Logs for Event IDs 4624, 4634 and 4647, correlating the Logon and Logoff Events, flagging incomplete logon sessions, flagging inactive accounts, then finally, reporting the results in Corner Bowl Server Manager, through email or by saving to a file such as a CSV, HTML or PDF file.
Relevant Event IDs:
- 4624(S): An account was successfully logged on.
- 4634(S): An account was logged off.
- 4647(S): User initiated logoff.
Report Variants:
Sever Manager includes 4 different types of Logon Sessions Reports:
| Type | Description |
|---|---|
| Logon Sessions |
Scans multiple Security Event Logs for logon session events, then, correlates the events using the Logon ID grouped attribute value. Each logon session is listed in the report. |
| Logon Session Summary |
Like the Logon Sessions report, however, entries are grouped by logon name then logon type. Each group is listed in the report along with the count of logon sessions in each group. |
| Inactive Accounts |
Like the Logon Session Summary, however, once complete, logon sessions outside the trigger thresholds are flagged. Then, when on domain, Active Directory is scanned for all accounts. Any account missing from the report is added as inactive. When off domain, each assigned host is scanned for local accounts. Any account missing from the report is added as inactive. |
| Incomplete Logon Sessions |
Like the Logon Sessions report, however, logon sessions that do not have a corresponding 4647 are flagged as incomplete. |
How to configure the Logon Session Report:
- From the Explorer View, navigate to Reports | Sample Reports | Event Logs | Security Reports | Logon, right click on Logon Sessions then select Properties. The Properties View displays.
- The Properties View contains 7 configuration tabs.
The Options Tab
- Use the Show the number of successful logons per user and logon type checkbox to group logon sessions by username and logon type then display the latest logon session along with the total count of logon sessions.
- Use the Logon Types checkboxes to select the Logon Types to target.
- Use the Duration Filter controls to exclude logon sessions with a duration of less than X period (e.g. < 1 second).
Filters Tab
- Use the Log Entry Filters controls to filter out specific accounts.
- For more information see: User Filters
Actions Tab
- Use the Hide informational data table rows checkbox to hide completed logon sessions and active logon sessions that fall within the active thresholds.
- For more information see: Actions
How to configure the Logon Session Summary Report:
- From the Explorer View, navigate to Reports | Sample Reports | Event Logs | Security Reports | Logon, right click on Logon Session Summary then select Properties. The Properties View displays.
The Options Tab
- Notice the Show the number of successful logons per user and logon type checkbox is selected.
Actions Tab
- Notice the Hide informational data table rows checkbox is de-selected.
How to configure the Inactive Accounts Report:
- From the Explorer View, navigate to Reports | Sample Reports | Event Logs | Security Reports | Logon, right click on either Logon Sessions (Inactive Domain Accounts) or Logon Sessions (Inactive Local Accounts) then select Properties. The Properties View displays.
The Options Tab
- Notice the Show the number of successful logons per user and logon type checkbox is selected.
- Notice all Logon Types checkboxes are selected.
- Notice either the Scan Active Directory for inactive accounts or the Scan assigned hosts for inactive local accounts is selected depending on the sample report your previously selected.
- Use the Threshold controls to configure the trigger thresholds. When set, triggered entries display either a Warning or a Critical icon in the report.
Actions Tab
- Notice the Hide informational data table rows checkbox is selected.
How to configure the Incomplete Logon Sessions Report:
 |
This Report has been created specifically for customers that have SOPs that require users to log off. |
- From the Explorer View, navigate to Reports | Sample Reports | JSIG RMF AU-2 | Network | Correlation, right click on AU-2 1.2 Logon Sessions (Incomplete) then select Properties. The Properties View displays.
The Options Tab
- Notice the Show the number of successful logons per user and logon type checkbox is de-selected.
- Notice the only Logon Types selected are: Interactive and Remote Interactive.
- Notice the Trigger incomplete logon sessions checkbox is selected.
Actions Tab
- Notice the Hide informational data table rows checkbox is de-selected.
Sample Logon Session Report Properties View
