Hey folks, I've got a few privileged admin accounts that are meant to be used only when admin access is really necessary. I'm looking to audit these accounts to track when they were logged in and out (including the times and the machines used). For example, I'd like to gather info like:
User: JohnSmith
Logon: 8/21/2025 12:00 PM
Logoff: 8/21/2025 12:10 PM
Hostname: Workstation001.
In Group Policy Management Console (GPMC), I turned on auditing under:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff > Audit Logon Events and Audit Account Logon Events.
During my testing, the event logs I found most helpful were:
Event ID 4624 (for logon details) and Event ID 4634 (for logoff details). They share a Logon ID, which is a hex value that appears in both events.
However, I've noticed that these logs sometimes show system logins that aren't tied to human activity, which I don't need. When I export the logs from Event Viewer to CSV, I find they lack useful identifiers like usernames and hostnames, which makes the output less practical. Does anyone have suggestions on generating these audit reports for this scenario, preferably using free tools? Thanks!
4 Answers
If you don't have any log aggregation system or SIEM in place, I would recommend using PowerShell. You can script it to check those event IDs and notify you via email upon logon and logoff events.
You'll probably want a dedicated tool for capturing and reporting event logs. We've been using Netwrix for this task, and it works pretty well!
You might want to check out Graylog Open; it's free and can meet your needs, but expect a steep learning curve. If you only need to track specific events, PowerShell might still be the easiest route.
I’ve had some success with EventComb to query and export logs. The formatting isn’t perfect, but it should give you the info you need.
Yeah, Graylog can be tough to set up, especially on DCs, but it gets the job done once you have it configured.