Audit Logon Events

A logon (or logoff) event is an instance where a user logs into (or out) of a server. This activity will show up in the event logs, allowing admins to audit account logon events and gain visibility into logon activity. Logon events are important to monitor for security purposes since a primary way to detect a password-protected security breach from a cyberattacker can be through a logon event audit. 

A logon event audit consists of collecting and analyzing log data of user activity to create a report that highlights critical information about logon/logoff events.

The starting point to auditing logon events is collecting the logon and logoff data, typically located in a directory service like Windows Active Directory (AD) where admins can configure security groups, manage privileged user information like logon credentials, and specify who can modify server data.

Using a security management software can help isolate user activity log data and to observe activity relevant to specific security concerns, such as logon or logoff instances. Specifically, a security information and event management (SIEM) software like SolarWinds SEM is built to monitor logon events in real time, compiling data and correlating trends to flag any unusual logon or pattern of logons and alert the central IT controller. If a logon event meets defined criteria, SEM is designed to be able to take immediate steps to protect the data and prevent additional user activity by disabling user accounts, logging off users, and blocking device IP addresses. 

Auditing logon events should be a central strategy of your server security management protocol. While most user logons signal ordinary use, some user activity can signal breaches of approved use. Additionally, in many organizations there are certain privileged users granted greater access to sensitive data than others, so monitoring events for this user type is especially important. Users with greater access may be able to delete, modify, and even leak critical server data accidentally, or in the case with cyberattackers who gain these privileged user credentials through attacks like phishing, with malicious intent.

However, even the best-trained cybersecurity specialist may not always be able to detect unusual logon events with their own eyes. An effective logon audit often requires a program that can monitor all relevant components in real time and pick up on patterns or data discrepancies that may signal a security issue. To record logon event data in a reportable format, the SIEM software in SEM is built to support security data log auditing, since performing regular audits can help you keep track of security activity and demonstrate compliance.

SolarWinds Security Event Manager offers security log management designed to keep track of account logon events to help you identify activity that may signal an issue.

To configure Windows audit policy for SEM, you first need to modify the Windows audit policy using group policy at the domain controller and domain levels, so SEM can collect logs from your Windows system. 

To set the Windows audit policy, use Group Policy Object Editor or a similar application to define the default policy so it includes Success and Failure for audit process tracking. If your server doesn’t have Active Directory deployed, these policies can also be configured at the local machine.

Once SolarWinds SEM is installed, you will be able to set your security audit log preferences to monitor a wide variety of security events—from logon events, to system events, to account management. After you’ve established your standards for monitoring logon events, SEM is built to provide industry-specific audit logs as well as live security alerts.

• Firewall Security Audit Tool

• Access Right Management
• User Activity Monitoring
• Active Directory Auditing Tool
• Audit Management Software
• SharePoint Audit Tool
• IT Security Audits