Table of Contents
- Getting Started
- Agent-Based Management
- Data Providers
- Directory Services
- Event Log Archiving for JSIG and CMMC Compliance
- Auditing
- Hosts
- Templates
- Template Properties
- Batch Update Templates
- Assign Templates
- Log Management Templates
- SCAP Compliance Monitor
- File and Directory Monitor Templates
- Windows Monitor Templates
- Account Lockout Monitor Template
- Logon Monitor Template
- CPU Monitor Template
- Memory Monitor Template
- Disk Space Monitor Template
- SMART Monitor Template
- Process Monitor Template
- Service Monitor Template
- Performance Counter Monitor Template
- PowerShell Template
- Registry Value Monitor Template
- System Security Monitor Template
- Active Directory User Monitor Template
- Active Directory User Integrity Monitor Template
- Task Scheduler Template
- Clock Synchronization Template
- Defragment NTFS Disks Template
- Windows Audit Policy Monitor Template
- Windows Logon As Monitor Template
- Windows Update Template
- Windows Management Instrumentation (WMI) Templates
- Database Monitor Template
- Directory Service Monitor Template
- DNS Blacklist Monitor Template
- DNS Monitor Template
- Domain Expiration Monitor Template
- Network Speed Monitor Template
- Ping Monitor Template
- Database Table Reseed
- SQL Server Shrink and Backup Template
- SSH Shell
- TCP Port Scan Monitor Template
- Website Monitor Template
- Wake On LAN Template
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Windows Accounts Templates
- Monitors
- Reports
- File and Permission Reports
- Summary Reports
- Auto-Configurators
- Filters
- Actions
- Database Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- PowerShell Actions
- Report Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template Actions
- IIS IP Address Restriction Actions
- Action Variables
- Schedules
- Environment Variables
- Options
- Account Lockout Monitoring and Reporting
- Merging Logs
- SNMP
- SSH Shell
- Syslog
- Exporting and Importing Configuration Objects
- Shared Views
- Active Directory User and Group Filters
- Assign Actions
- Assign Azure Audit Logs
- Assign Consolidated Logs
- Assign Directories
- Assign Disks
- Assign Event Logs
- Assign Files
- Assign Services
- Assign Shares
- Auto-Config Host Assignment Properties
- Define CSV and W3C Log Entry Columns
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Executable Status
- Executable Timeline
- Explicitly Assigned Logs
- File Explorer
- General Executable Properties
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Target Files and Sub-Directories
- Command Line Interface
- Server Configuration
- Agent Configuration
- Troubleshooting
- Terminology
Corner Bowl Server Manager
SIEM, IPS, Server Monitoring, Uptime Monitoring and Compliance Software
Logon Sessions Report
Logon Session Reporting is the process of scanning Windows Event Logs for Event IDs 4624, 4634 and 4647, correlating the Logon and Logoff Events, flagging incomplete logon sessions, flagging inactive accounts, then finally, reporting the results in Corner Bowl Server Manager, through email or by saving to a file such as a CSV, HTML or PDF file.
Relevant Event IDs:
- 4624(S): An account was successfully logged on.
- 4634(S): An account was logged off.
- 4647(S): User initiated logoff.
Report Variants:
Sever Manager includes 4 different types of Logon Sessions Reports:
| Type | Description |
|---|---|
| Logon Sessions | Scans multiple Security Event Logs for logon session events, then, correlates the events using the Logon ID grouped attribute value. Each logon session is listed in the report. |
| Logon Session Summary | Like the Logon Sessions report, however, entries are grouped by logon name then logon type. Each group is listed in the report along with the count of logon sessions in each group. |
| Inactive Accounts | Like the Logon Session Summary, however, once complete, logon sessions outside the trigger thresholds are flagged. Then, when on domain, Active Directory is scanned for all accounts. Any account missing from the report is added as inactive. When off domain, each assigned host is scanned for local accounts. Any account missing from the report is added as inactive. |
| Incomplete Logon Sessions | Like the Logon Sessions report, however, logon sessions that do not have a corresponding 4647 are flagged as incomplete. |
How to configure the Logon Session Report:
- From the Explorer View, navigate to Reports | Sample Reports | Event Logs | Security Reports | Logon, right click on Logon Sessions then select Properties. The Properties View displays.
- The Properties View contains 7 configuration tabs.
The Options Tab
- Use the Show the number of successful logons per user and logon type checkbox to group logon sessions by username and logon type then display the latest logon session along with the total count of logon sessions.
- Use the Logon Types checkboxes to select the Logon Types to target.
- Use the Duration Filter controls to exclude logon sessions with a duration of less than X period (e.g. < 1 second).
Filters Tab
- Use the Log Entry Filters controls to filter out specific accounts.
- For more information see: User Filters
Actions Tab
- Use the Hide informational data table rows checkbox to hide completed logon sessions and active logon sessions that fall within the active thresholds.
- For more information see: Actions
How to configure the Logon Session Summary Report:
- From the Explorer View, navigate to Reports | Sample Reports | Event Logs | Security Reports | Logon, right click on Logon Session Summary then select Properties. The Properties View displays.
The Options Tab
- Notice the Show the number of successful logons per user and logon type checkbox is selected.
Actions Tab
- Notice the Hide informational data table rows checkbox is de-selected.
How to configure the Inactive Accounts Report:
- From the Explorer View, navigate to Reports | Sample Reports | Event Logs | Security Reports | Logon, right click on either Logon Sessions (Inactive Domain Accounts) or Logon Sessions (Inactive Local Accounts) then select Properties. The Properties View displays.
The Options Tab
- Notice the Show the number of successful logons per user and logon type checkbox is selected.
- Notice all Logon Types checkboxes are selected.
- Notice either the Scan Active Directory for inactive accounts or the Scan assigned hosts for inactive local accounts is selected depending on the sample report your previously selected.
- Use the Threshold controls to configure the trigger thresholds. When set, triggered entries display either a Warning or a Critical icon in the report.
Actions Tab
- Notice the Hide informational data table rows checkbox is selected.
How to configure the Incomplete Logon Sessions Report:
Note
This Report has been created specifically for customers that have SOPs that require users to log off.
- From the Explorer View, navigate to Reports | Sample Reports | JSIG RMF AU-2 | Network | Correlation, right click on AU-2 1.2 Logon Sessions (Incomplete) then select Properties. The Properties View displays.
The Options Tab
- Notice the Show the number of successful logons per user and logon type checkbox is de-selected.
- Notice the only Logon Types selected are: Interactive and Remote Interactive.
- Notice the Trigger incomplete logon sessions checkbox is selected.
Actions Tab
- Notice the Hide informational data table rows checkbox is de-selected.
Sample Logon Session Report Properties View
Sample Logon Session Report Properties View