Wednesday, July 25, 2012

Custom Views in Server 2008 R2

Recently I had a request to create a logging system for usage on a server. A way to document how many times a machine is logged onto by a specific subset of users.
I though I would try out the custom views in Server 2008 R2 instead of making the quick and easy script at logon/logoff.
It turned out a bit more complicated than I anticipated so here it is, for documenting purposes.
1. Make sure logon events are audited in local security policy or domain policy.
2. Create a custom view from the Security Log
3. Choose tab XML and ‘Edit query manually’
4. My end result 
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4624 or EventID=4647)]]
    and
    *[EventData[Data[@Name='TargetUserName'] and (Data = 'user1' or Data='user2')]]
    </Select>
  </Query>
</QueryList>
The specific properties of the event you want to log can be found by viewing XML view on the relevant event. In my case the TargetUserName was the common unit for the relevant IDs.
image
The cool thing about custom events is that you can attach a task to the view, allowing a program or email to be sent every time something is logged.
References:
http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx

No comments: