IT Toolkit - Monitor Login Events

Kaseya Automation Team
Kaseya Automation Team Member, Kaseya Certified CHOCOLATE MILK
edited January 2022 in Solutions

Product Name: IT Toolkit - Monitor Login Events

Description : this script will monitor for logins, logouts, failed logins, and locked account events and alert on the VSA.

Instructions : Instructions can be found in attached pdf

Tagged:

Comments

  • Jason Bachman
    Jason Bachman Member CHOCOLATE MILK
    edited February 2021

    If I am monitoring successful logins, is there a way to report on the captured logins via the Info/Reporting module?  Would like to pull a report that shows what users logged into a specific RDS server over a period of time.

  • Jeff Lorenzen
    Jeff Lorenzen Member CHOCOLATE MILK

    For the love of God, please redo the documentation PDF on this. This is an important monitor set for anyone who is managing a regulated environment. Not only are there several items in the document that are out of order or belong in a different section, it's missing key information on where to go to set something like the <agentemail> variable (I have never had to Manage Variables before and it took me an hour to find where this is and how to apply it). It also does not indicate how the workflow of all the various polices, procedures, sets and reports are actually supposed to work together and what actions one need to take to start capturing this information in real time so that it can result in actionable intel/ticket gen.

    image.png


  • KaseyaKatie
    KaseyaKatie Member, Administrator, Kaseyan, Kaseya Staff

    COMMUNITY MANAGER

    Great call out, @Jeff Lorenzen! Our team is working on an update for this and should have something soon.

  • Wilki Budiwarman
    Wilki Budiwarman Member, Kaseya Certified CHOCOLATE MILK

    Hi @Jason Bachman

    It is possible, with some modifications to the Agent Procedures.

    1. customize the write procedure log entry to specifically note the user. The user accounts are gathered and reference with the #user# variable
    2. Create a new report to target the specific procedure log entry by filtering on the message column.
  • Danny J. Theriault
    Danny J. Theriault Member

    Not finding anything on Agent Procedures, Event Sets?

  • Wilki Budiwarman
    Wilki Budiwarman Member, Kaseya Certified CHOCOLATE MILK

    @Jason Bachman It is possible but would require some modifications with the agent procedures and reporting. Currently the Agent Procedure provides a generic message - #user# failed to login to #id# at #et#. You will have to modify this to set a unique message and modify / create a report that looks at the procedure log entry.

    Filter on the log message to make sure that it's reporting only the messages that pertains to user logins. When you execute the report limit the machines to just the RDS server leveraging views, organizations, or machine groups.

  • Jeff Lorenzen
    Jeff Lorenzen Member CHOCOLATE MILK

    For the love of God, please redo the documentation PDF on this. This is an important monitor set for anyone who is managing a regulated environment. Not only are there several items in the document that are out of order or belong in a different section, it's missing key information on where to go to set something like the <agentemail> variable (I have never had to Manage Variables before and it took me an hour to find where this is and how to apply it). It also does not indicate how the workflow of all the various polices, procedures, sets and reports are actually supposed to work together and what actions one need to take to start capturing this information in real time so that it can result in actionable intel/ticket gen.

    image.png

    Also, has this been adequately tested. I'm getting zero results, even if I run the PS1 manually.

  • Jeff Lorenzen
    Jeff Lorenzen Member CHOCOLATE MILK

    I'm finding that there is a lot about this set of procedures that do not work. I'm not sure the function Get-WinEventData is working right. Just tried to run the PS1 against a system that had dozens of 4625s and got no output. This is supposed to save a file "failed.txt" in the working directory. I have nothing.

  • Jeff Lorenzen
    Jeff Lorenzen Member CHOCOLATE MILK

    For the love of God, please redo the documentation PDF on this. This is an important monitor set for anyone who is managing a regulated environment. Not only are there several items in the document that are out of order or belong in a different section, it's missing key information on where to go to set something like the <agentemail> variable (I have never had to Manage Variables before and it took me an hour to find where this is and how to apply it). It also does not indicate how the workflow of all the various polices, procedures, sets and reports are actually supposed to work together and what actions one need to take to start capturing this information in real time so that it can result in actionable intel/ticket gen.

    image.png

    Also, has this been adequately tested. I'm getting zero results, even if I run the PS1 manually.

  • wlambert
    wlambert Member, Managed Service Provider CHOCOLATE MILK

    I set this up on our system. I created the custom fields, imported the xml, abd created and scheduled policies. When scheduling policies, I put in the time (10:00 AM), save it, and it immediately resorts to 6:00 PM. If I set the schedule to use agent time, it bumps it up to 2:00 PM. Changing the time settings in the System module has no effect. This is he only Agent Procedure doing this. Do you have any idea what could be the problem?

    Thanks,

    --Hank

  • ed2018
    ed2018 Member, Managed Service Provider DECAF

    Was the documentation ever updated on this? @KaseyaKatie

  • Daniel Valenti
    Daniel Valenti Member CHOCOLATE MILK

    has anyone got this to work? The Powershell script is not generating the txt file

Categories

Join The Community

Weekly Leaderboard