quarta-feira, 16 de julho de 2014

Gravar Log Acesso WTS

fonte:
First enable auditing in secpol.msc.
I found this is needed because the other events triggered too early to get the hostname.
  • Click Start and type secpol.msc then hit enter.
    the Local Security Policy window will be displayed
  • now navigate to Local Policy > Audit Policy
    and right click the Audit account logon events policy option and choose Properties.
  • Now check the Success box (failed attempts will not be logged this way)
  • Exit from secpol.msc
Now create a VBScript-file (for example called c:\temp\log.vbs):
(also edit the location of the desired logfile, here c:\temp\rdp.log)
Function sessionNumber
 Dim oShell, oExec, sOutput, iUserPos, iUserLen, iStatePos
 Set oShell = CreateObject("WScript.Shell")
 Set oExec = oShell.Exec("query session %username%")
 sOutput = LCase(oExec.StdOut.ReadAll)
 iUserPos = InStr(sOutput,LCase(oShell.ExpandEnvironmentStrings
("%username%")))
 iStatePos = InStr(sOutput,"active")
 iUserLen = Len(oShell.ExpandEnvironmentStrings("%username%"))
 sessionNumber = CInt(Trim(Mid(sOutput,iUserPos+
iUserLen,iStatePos-iUserPos-iUserLen)))
End Function

Function clientName
 Dim oShell
 Set oShell = CreateObject("WScript.Shell")
 On Error Resume Next
 clientName = LCase(oShell.RegRead("HKCU\Volatile Environment\"
&sessionNumber&"\CLIENTNAME"))
 If Err.Number<>0 Then
 clientName =  "unknown"
 End If
End Function

outFile="c:\temp\rdp.log"

Const ForAppending = 8

Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objFile=objFSO.OpenTextFile(outFile,ForAppending,True)
objFile.Write now() & " ; " & clientName & vbCrLf
objFile.Close
Now for the last part create a scheduled task for starting this script.
  • Click Start and type taskschd.msc then hit enter.
  • Choose Create Task in the right pane
  • Name it Logon RDP or something
  • In the Trigger-tab choose New and choose "Begin the task" On an event
  • In "Log" choose Security and in "Event ID" type 4624
  • Hit Ok
  • In the Action-tab choose New and choose "Start a program"
  • In Program type cscript.exe and in Add argument type c:\temp\log.vbs
  • Hit Ok twice
Now when someone logs in via RDP, their hostname is logged in c:\temp\rdp.log
Note that also local logins will be logged (i haven't tested that yet because i'm on a remote :)
but i guess that's not a problem.
You could of course adapt the log.vbs to include username, remote ip... etc.
(pfew, Windows XP was a lot easier. That one just logs the hostname in the event)
Maybe someone can come up with an easier solution :)
enter image description here enter image description here

1334781    

Edit #2
This is from a completely clean Windows 7 install.
(Main machine is Test-pc and machine with which i logged on is XPS8500):
enter image description here









Postado por às
Marcadores:

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)