Standard reports
By default, GFI LANguard S.E.L.M. ships with a number of reports:
User reports in percentages
User reports in percentages – Users who failed to logon due to a bad username/password for the current day.
These reports can be used to identify irregularities in the usage of the network by users.
Reports created under User reports in percentages display the total number of events per user, irrelevant of the computers on which the events were generated. The users are ranked according to who generated most events. This way you can for example detect an attempt to guess a password.
Also if a user is demonstrating excess activity compared to his peers, then that user might be attempting to access areas of the network for which he has no authorization. Events which are related to logon/logoff activity are the following :
Event
ID |
Type |
Description |
| 528 |
Success Audit |
Successful logon |
| 529 |
Failure Audit |
Logon Failure: Unknown user name or bad password. |
| 530 |
Failure Audit |
Logon Failure: Account logon time restriction violation |
| 531 |
Failure Audit |
Logon Failure: Account currently disabled |
| 532 |
Failure Audit |
Logon Failure: The specified user account has expired |
| 533 |
Failure Audit |
Logon Failure: User not allowed to logon at this computer |
| 534 |
Failure Audit |
Logon Failure: The user has not been granted the requested logon type at this machine |
| 535 |
Failure Audit |
Logon Failure: The specified account's password has expired |
| 536 |
Failure Audit |
Logon Failure: The NetLogon component is not active |
| 537 |
Failure Audit |
Logon Failure: An unexpected error occurred during logon |
| 538 |
Success Audit |
User Logoff |
| 539 |
Failure Audit |
Logon Failure: Account locked out |
| 540 |
Success Audit |
Successful Network Logon |
There are seven user reports by percentages:
Users who failed to logon for any reason yesterday
As you can see from the table above there are ten possible scenarios which can lead to a failed logon including bad username or password supplied, or attempts to log in when an account is disabled or expired. This report will display the total number of failed logons which happened on your network the day before the current one, irrespective of the reason why the users failed to log on. This report covers events 529, 530, 531, 532, 533, 534, 535, 536, 537 and 539 only.
Users who failed to logon for any reason today
Just like the report named "Users who failed to logon for any reason yesterday" this report will display the total number of failed logons which happened on your network on the current day, irrespective of the reason why the users failed to log on.
Users who failed to logon due to a bad username/password yesterday
Just like the report named "Users who failed to logon for any reason yesterday" this report will display the total number of failed logons which happened on your network on the day before the current one, but will only take into consideration bad logons due to an incorrect username/password being supplied to the system. This report covers events 529 only.
Users who failed to logon for any reason for the last seven days
Just like the report named "Users who failed to logon for any reason yesterday" this report will display the total number of failed logons which happened on your network for the past seven days/week, irrespective of the reason why the users failed to log on. This report covers events 529, 530, 531, 532, 533, 534, 535, 536, 537 and 539 only.
Users who failed to logon due to a bad username/password today
Just like the report named "Users who failed to logon due to a bad username/password yesterday" this report will display the total number of failed logons which happened on your network on the current day, but will only take into consideration bad logons due to an incorrect username/password being supplied to the system. This report covers events 529 only.
Users who logged on successfully today
This report will list the users who succeeded into logging into the network most on the current day. This report covers events 528 and 540 only.
Users who logged on successfully yesterday
This report will list the users who succeeded into logging into the network most on the day before the current day. This report covers events 528 and 540 only.
First/last daily user event reports
First user activity of the day
These reports will report the first/last events of a particular type on a per day basis. These type of reports are useful in answering questions which every company asks itself such as :
- At what time did my employees switch on their computers in the morning (by monitoring events 512 – Windows NT is starting up) for the past week / month ?
- At what time did they actually start working, i.e. at what time did they log on (first event of any type which is registered under the user account). ?
- At what time did they switch off their computers in the evening (by monitoring for events 513 – Windows NT is shutting down) ?
You can also generate a report which lists the very first and very last event of a user, hence you can also see at what time he started working and at what time he stopped working.
For a more detailed daily report of the actions of a particular user then you would be required to use another type of report such as "Computer event reports".
By default two pre-defined reports are supplied which answers one of the above questions :
First logon times for all users for the last 7 days
This report will list the first event (any type) of each and every user which happened on the past week / last seven days. Like that you can take immediate action on people who are not sticking to company regulations.
First logon times for all users for the last month
This report will list the first event (any type) of each and every user which happened on the past week / last seven days. Like that you can take both immediate action on people who are not sticking to company regulations as well as analyze trends.
Computer Event Reports
Computer Event Report – Successful logons for the day for all computers
These reports are very useful when you want to monitor all the user activity on particular machine, independent from whether the computer is used by a single person or more.
This is a very detailed report and will list every event which is specified in the event list of the report which happened on that computer. For example, if you would want to see all the successful logons which happened on a machine then you would set the filtering options of that report to include only events with ID 528 (successful logon) and 540 (successful network logon). If you want the report only to include information on events happening on a particular machine/s or particular domain/s you can customize the reports to your needs.
These reports are very useful when performing detailed analysis for example, after you suspect an attack on one of the machines you may want to check out all the successful logons for that day/period to be able to detect under which user account the successful hack occurred.
To cater for the above two default reports of this type are included.
All successful logons which happened today on each computer
This will list all the events which indicate a successful logon on each and every computer which is scanned for the current day. This report covers events with ID's 528 and 540.
All successful logons which happened yesterday on each computer
This will list all the events which indicate a successful logon on each and every computer which is scanned for the day before the current. This report covers events with ID's 528 and 540.
Computer event reports in percentages
Computer Event Report in percentage – Which users generate most events on each computer
This type of report is very similar to the User reports in percentages, with the difference that instead of grouping the information by user, it groups the information by computer. This way you can see who is generating most events on a particular computer or if users are accessing computers they shouldn't.
In this type of report there is only one which is supplied by default, i.e. Which users generate most events on each computer. This report will basically list each computer followed by a list of users who generate events on that machine.
| 
