question

ShivaRavichandran-6199 avatar image
0 Votes"
ShivaRavichandran-6199 asked Crystal-MSFT commented

Server Logon Monitor in SCOM 2016

We have to monitor a logon timestamp or the user details, whoever logs into the server to be triggered via alert from SCOM- when someone logs into the server we would need to be the alert triggered.

Please help us here...

msc-operations-manager
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ShivaRavichandran-6199,Hope everything is going well. I am writing to see if there's anything unclear with the information we provided . If yes, feel free to let us know.

Thanks and have a nice day!


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
RogerXue-3369 avatar image
0 Votes"
RogerXue-3369 answered

I think you can try enabling auditing on user account and create a monitor or rule based on the related events. For details, please refer to:

  1.  Enable auditing:
    

Account Management
https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/


  1.  Create an event monitor or rule:
    

How to Create a Simple Windows Event Unit Monitor
https://social.technet.microsoft.com/wiki/contents/articles/51547.scom-monitor-a-specific-windows-event.aspx


Windows Event ID 4624 – Successful logon
https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-event-id-4624.html#:~:text=Event%20ID%204624%20(viewed%20in,4625%20documents%20failed%20logon%20attempts.

Roger

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered

@ShivaRavichandran-6199,Agree with Roger, For our request, the main steps are as below:
1. Use GPO to open Auditing.
2. Create monitor or rule to monitor the windows event id. For successful logon, the event id 4624 will generate in security log. For failure logon, the event id 4625 will generate.

For the parameters in the two events, here are the links for the reference:
https://www.windows-security.org/windows-event-id/4624-an-account-was-successfully-logged-on
https://www.windows-security.org/windows-event-id/4625-an-account-failed-to-log-on
Note: Non-Microsoft link, just for the reference.

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.