3 replies to this topic

[alfa21]

Hi,

 

We have configured AD logon activity, but it doesn't seem to be that accurate, at least at our system. It is not showing all logon activity coming from computers. I know some auditing solution have the option to configure auditing directly on the computers, and one can know whether who logins locally, remotely, or even you unlock the computer. This opsion I cannot find in the Netwrix.

 

How Netwrix collects this information, only from DC, or includes computers, as well. Is there any more detailed documentation on this?

 

Regards,

 

[Yan Skursky]

That depends. AD logon activity collects information from DC. But you are welcome to add windows computers as monitored systems to add logon activity from local logs. 

 

 

[Jadentek]

AD Logon Activity Auditing will only report on Domain Authentication

The Event Log Manager ( ELM ) can be used as Yan Skursky noted, however, this is not a Windows Server collection.

ELM can be set to collect from every Windows System in the environment

KB1904 Audit logon events https://www.netwrix.com/kb/1904

These canned filters do not include the
4801: The workstation was unlocked a new filter
https://www.ultimate...px?eventid=4801
will be needed for these and are not part of the ELM logon reports the All Events by User will need to be used.

To add another filter there is an example in the KB1568 How to configure real-time alert for specific events? https://www.netwrix.com/kb/1568
**Just follow these under the inclusive filter part***

ELM Settings:

[alfa21]

Hi,

 

Thank you for the answer, it was very helpful to me. However, when I open links, images don't open. Is there a problem with that, or how can open those. Tried from different computers, with different browsers.