Ask the Expert

Filtering workstation logon events to log only user activity

Since we have upgraded to Windows 2000/AD, our security logs have grown very large. There seems to be a lot of logon/logoff (successful) activity between the workstation$ accounts and the Domain. I work for a hospital and must track all logon activity for users, is there a way to filter out workstation logon/logoff events and only log user activity. This is wreaking havoc on my archiving scheme. Thanks!

Requires Free Membership to View

The granularity of the policy for logging of events does not permit the exclusion of the machine accounts. However, if you are using a scripted solution for archiving, or are willing to use such a solution you can filter the events from the logs when they are archived. The VBScript along with WMI can be utilized to pull information from event logs of multiple machines and centrally store the information. If you use this process in conjunction with an appropriate Group Policy governing size and how the information is cleared from event logs -- you can effectively store the logs after filtering unnecessary information. The logs can then be stored for long durations, backed up to tape, and reviewed at will.
Paul Hinsberg

Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.

This was first published in December 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: