I need to catch Win Srv 2012 domain users logon and logoff time (also if possible sleep and wake time) and insert that into an sql table to build report showing users working time. All workstations have Win 7 Pro and work locally (not through terminal services). Due to the number of workstations I'd prefer to have every script/policy on server.
Any help will be much appreciated.
Regards,
Przemek
Best Answer
There is solution for your need :
1- use a hids software agent on client to log event to a server . Need install on client , config server , don't work outside without vpn etc . (Ossec or other siem/hids tools do the job)
2- use windows audit capability to centralize all events. This work without tools on client side . you just have to run script/gpo with configuration to send security log to a centralization server . Look this one : http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Centralized-Auditing-here-FREE.html
After that you need some script to read audit log in centralized server and write to database .
There is tools like Nxlog ,Snare that do the job (read event log and format for a syslog ). And logstash can read syslog and write in a database (nosql database , or sql database) .
There is commercial software doing that too but its not the place to talk about that (google for commercial product).