SIEM, IPS, Server Monitoring, Uptime Monitoring and Compliance Software
Table of Contents

Security Event Log Success Logons Reports

The Success Logons Reports enable you to scan the consolidated log database for various successful logon Event IDs. This report is typically used by compliance and audit professionals while auditing domain controllers and stand-alone servers.

Server Manager includes two methods to report successful Windows logins:

One-Off Successful Logons Report Parses event IDs: 4624, 4634, 4647 and 4768, filters Logon Types, displays each successful login or the total number of successful logins grouped by user and Logon Type, then finally and optionally generates a summary table along with tables for each selected Event ID. This report is supported on all locales.
Generic Successful Logons Report Uses Regular Expressions to parse Security Event Log Entries, extract values, validate subject and target accounts in Active Directory, then finally filter entries using Event Log Filters. This report is only supported on English locales.

How to configure the One-Off Successful Logons Report

The Options Tab

  • Use the Tables check boxes to select the Event IDs to target.
  • Use the Logon Types checkboxes to select the Logon Types to target.
  • Use the Summary check box to either display each successful logon entry or display the count of unique successful logons grouped by account name and Logon Type.
    Success Logon Report properties

How to configure the Generic Successful Logons Report

The Options Tab

  • Use the Filters drop-down to select all of the filters you would like to apply to the report.
    Alert To target specific columns (e.g. New Logon Account Name), create a Complex Event Log Filter then, create a new Attribute Value Pair Criteria, specify the column's key (e.g. TARGET_ACCOUNT_NAME) then, specify the account name or regular expression to target.
    Sample regular expression driven new interactive and remote logon excluding built-in DWM accounts filter
  • Once a filter is assigned, use the Include entries that pass drop-down to select the filter method.

    The following filter options are available:

    AllInclude each entry that passes all assigned filters.
    AnyInclude each entry that passes any filter.
    NoneInclude each entry that does not pass any of the filters.
    IgnoreInclude all entries.
  • Use the Apply filter frequency rules to display the Latest or Oldest entry when it occurs more than X times every X periods.
    Information A unique instance of these settings is attached to each assigned filter. Select the Filter to apply each instance's settings.
  • Use the Duplicates controls to group entries by Source and Event ID then display Latest or Oldest entry along with a count of entries in each group.
    Generic Successful Logon Report properties

Related Topics

Security Event Log Reports