Windows: Audit/View logins from remote networks?
i want to audit remote connection attempts to a Windows 2003 Server. i've changed the group policy to show logon successes and failures:
>gpedit.msc
Local Computer Policy
Computer Configuration
Windows Settings
Security Settings
Local Policies
Audit Policy
Audit logon events: Success, Failure
And now the logs are filled with failure events like:
Logon Failure:
Reason: Unknown user name or bad password
User Name: server
...
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
...
Source Network Address: 82.114.195.29
While Logon Failure events sure are interesting, i'm more interested in Logon Success events - i want to see if anyone got in. That means it's not all Logon Success events i wants, just ones from foreign networks.
i want to filter the Windows Security Event log to show:
- Event type == "Failure audit"
- "Source Network Address" is from the internet
Or for the more programmer oriented:
(EventType == FAILURE_AUDIT) && (SourceNetworkAddress & 0xffffff00) != 0x0a000000
Possible?
Event viewer won't allow you to filter on criteria in the "Description" field, which is what you need to differentiate between "local" networks and "foreign" networks.
My sshd_block script could be altered to do what you're looking for, or you could probably cobble something together using the event log email notification script I wrote for an answer on Server Fault. Either one, however, doesn't have rate limiting on the notifications (which I really should get around to writing in my "copious free time"...)