IT Toolkit - Monitor Login Events

Kaseya Automation Team

Product Name: IT Toolkit - Monitor Login Events

Description : this script will monitor for logins, logouts, failed logins, and locked account events and alert on the VSA.

Instructions : Instructions can be found in attached pdf

Jason Bachman

If I am monitoring successful logins, is there a way to report on the captured logins via the Info/Reporting module?  Would like to pull a report that shows what users logged into a specific RDS server over a period of time.

Jeff Lorenzen

For the love of God, please redo the documentation PDF on this. This is an important monitor set for anyone who is managing a regulated environment. Not only are there several items in the document that are out of order or belong in a different section, it's missing key information on where to go to set something like the <agentemail> variable (I have never had to Manage Variables before and it took me an hour to find where this is and how to apply it). It also does not indicate how the workflow of all the various polices, procedures, sets and reports are actually supposed to work together and what actions one need to take to start capturing this information in real time so that it can result in actionable intel/ticket gen.

KaseyaKatie

Great call out, @Jeff Lorenzen! Our team is working on an update for this and should have something soon.

Wilki Budiwarman

Hi @Jason Bachman

It is possible, with some modifications to the Agent Procedures.

1. customize the write procedure log entry to specifically note the user. The user accounts are gathered and reference with the #user# variable
2. Create a new report to target the specific procedure log entry by filtering on the message column.

Danny J. Theriault

Not finding anything on Agent Procedures, Event Sets?

Wilki Budiwarman

@Jason Bachman It is possible but would require some modifications with the agent procedures and reporting. Currently the Agent Procedure provides a generic message - #user# failed to login to #id# at #et#. You will have to modify this to set a unique message and modify / create a report that looks at the procedure log entry.

Filter on the log message to make sure that it's reporting only the messages that pertains to user logins. When you execute the report limit the machines to just the RDS server leveraging views, organizations, or machine groups.

Jeff Lorenzen

For the love of God, please redo the documentation PDF on this. This is an important monitor set for anyone who is managing a regulated environment. Not only are there several items in the document that are out of order or belong in a different section, it's missing key information on where to go to set something like the <agentemail> variable (I have never had to Manage Variables before and it took me an hour to find where this is and how to apply it). It also does not indicate how the workflow of all the various polices, procedures, sets and reports are actually supposed to work together and what actions one need to take to start capturing this information in real time so that it can result in actionable intel/ticket gen.

Also, has this been adequately tested. I'm getting zero results, even if I run the PS1 manually.

Jeff Lorenzen

I'm finding that there is a lot about this set of procedures that do not work. I'm not sure the function Get-WinEventData is working right. Just tried to run the PS1 against a system that had dozens of 4625s and got no output. This is supposed to save a file "failed.txt" in the working directory. I have nothing.

Jeff Lorenzen

For the love of God, please redo the documentation PDF on this. This is an important monitor set for anyone who is managing a regulated environment. Not only are there several items in the document that are out of order or belong in a different section, it's missing key information on where to go to set something like the <agentemail> variable (I have never had to Manage Variables before and it took me an hour to find where this is and how to apply it). It also does not indicate how the workflow of all the various polices, procedures, sets and reports are actually supposed to work together and what actions one need to take to start capturing this information in real time so that it can result in actionable intel/ticket gen.

Also, has this been adequately tested. I'm getting zero results, even if I run the PS1 manually.

wlambert

I set this up on our system. I created the custom fields, imported the xml, abd created and scheduled policies. When scheduling policies, I put in the time (10:00 AM), save it, and it immediately resorts to 6:00 PM. If I set the schedule to use agent time, it bumps it up to 2:00 PM. Changing the time settings in the System module has no effect. This is he only Agent Procedure doing this. Do you have any idea what could be the problem?

Thanks,

--Hank

ed2018

Was the documentation ever updated on this? @KaseyaKatie

Daniel Valenti

has anyone got this to work? The Powershell script is not generating the txt file