In Windows, you can enable ‘Audit Policies’ for certain events that the operating system detects. One such audit policy is to audit any login/logoff events that occur on your server. This can be a good way to have a log of what accounts are logging into your server, when, and from where.
This guide will go over how to enable auditing login events, how to view them, and how to create a custom view to filter viewing to only the login events.
Enable Logon Event Auditing
All of the audit policies are part of Group Policy, and as such, can be enabled or disabled from within the Local Group Policy Editor.
First: Open the Group Policy Editor.
Second: Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
Third: Right click ‘Audit logon events’ and select Properties.
Fourth: Check both the Success and Failure checkboxes to enable auditing of both successful and failed logon attempts. Click OK.
Now logon auditing is enabled, and any future logon and logoff events will be tracked within the the Event Viewer.
Viewing Logon Events
To view the logon events that are now being audited, you can view them from in the Event Viewer.
First: Open the Event Viewer.
Second: Navigate to Windows Logs -> Security.
This section of the Event viewer will then have any logon and logoff events listed. Selecting one of the events will then display that event’s details in the box at the bottom.
Filter Only Logon Events
To view only the list of login events and not every security event that has been detected, you can create a custom view.
First: In the Event Viewer, navigate back to the Windows Logs -> Security section.
Second: Select Create Custom View… in the right sidebar.
Third: Click where is says <All Event IDs> and enter in the IDs of the events you want to view. Optionally, you can also filter by username by specifying a user in the User: textbox. Select OK.
|Event ID||Event Type|
Fourth: Give your view a name, and optionally select a folder to put it in. Click OK.
Now you will be able to view your filter in the Event Viewer under Custom Views -> Your View’s Name.