Server Logon Monitor in SCOM 2016

Shiva Ravichandran 41 Reputation points
2021-05-10T23:25:41.937+00:00

We have to monitor a logon timestamp or the user details, whoever logs into the server to be triggered via alert from SCOM- when someone logs into the server we would need to be the alert triggered.

Please help us here...

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,392 questions
{count} votes

2 answers

Sort by: Most helpful
  1. System Center guy 681 Reputation points
    2021-05-11T00:55:49.333+00:00

    I think you can try enabling auditing on user account and create a monitor or rule based on the related events. For details, please refer to:

    1. Enable auditing: Account Management
      https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
      1. Create an event monitor or rule:

    How to Create a Simple Windows Event Unit Monitor
    https://social.technet.microsoft.com/wiki/contents/articles/51547.scom-monitor-a-specific-windows-event.aspx

    Windows Event ID 4624 – Successful logon
    https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-event-id-4624.html#:~:text=Event%20ID%204624%20(viewed%20in,4625%20documents%20failed%20logon%20attempts.

    Roger

    0 comments No comments

  2. Crystal-MSFT 40,376 Reputation points Microsoft Vendor
    2021-05-11T02:28:00.637+00:00

    @Shiva Ravichandran ,Agree with Roger, For our request, the main steps are as below:

    1. Use GPO to open Auditing.
    2. Create monitor or rule to monitor the windows event id. For successful logon, the event id 4624 will generate in security log. For failure logon, the event id 4625 will generate.

    For the parameters in the two events, here are the links for the reference:
    https://www.windows-security.org/windows-event-id/4624-an-account-was-successfully-logged-on
    https://www.windows-security.org/windows-event-id/4625-an-account-failed-to-log-on
    Note: Non-Microsoft link, just for the reference.

    Hope it can help.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments