Hostwinds Tutorials
Search results for:
Table of Contents
Tags: Windows
In Windows, you can enable 'Audit Policies' for certain events that the operating system detects. One such audit policy is to audit any login/logoff events that occur on your server. This can be a good way to log what accounts are logging into your server, when, and from where.
This guide will go over how to enable auditing login events, view them, and create a custom view to filter viewing to only the login events.
All of the audit policies are part of Group Policy, and as such, can be enabled or disabled from within the Local Group Policy Editor.
First: Open the Group Policy Editor.
Second: Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
Third: Right-click 'Audit logon events' and select Properties.
Fourth: Check both the Success and Failure checkboxes to enable auditing of both successful and failed login attempts. Click OK.
Now login auditing is enabled, and any future logon and logoff events will be tracked within the Event Viewer.
To view the logon events that are now being audited, you can view them from the Event Viewer.
First: Open the Event Viewer.
Second: Navigate to Windows Logs -> Security.
This section of the Event viewer will then have any logon and logoff events listed. Selecting one of the events will then display that event's details in the box at the bottom.
To view only the list of login events and not every security event that has been detected, you can create a custom view.
First: In the Event Viewer, navigate back to the Windows Logs -> Security section.
Second: Select Create Custom View… in the right sidebar.
Third: Click where it says and enter the IDs of the events you want to view. Optionally, you can also filter by username by specifying a user in the User: textbox. Select OK.
Event ID Event Type 4624 Logon 4672 Special Logon 4634 Logoff
Fourth: Give your view a name, and optionally select a folder to put it in. Click OK.
Now you will be able to view your filter in the Event Viewer under Custom Views -> Your View's Name.
Written by Hostwinds Team / June 18, 2019