monitor users on win32

softworkz has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks! I'm trying to come up with a good way to monitor users that log into one of our nodes each day, we have 8 nodes a user may log into and our user list is about 250. I want to keep a tally on when and where a user logged in on a particular day regardless of which node they used. I.E even if they logged into 3 nodes for hours on 07/20/2001 the user is only charged for one day. Visa/versa if a user logged into one node per day for a minute for three days they are billed for three days.

The closest thing I can come up with is using the event viewer "security log" but as many may know this is not a flat text file, so parsing it may be impossible. I really only need the user, date, and node. Eventually the stats would be posted on our web showing the power users and nodes used most often. One quick note. The users use terminal services client to attach to a node via our domain controller. I hope you guys can point me in right direction THANKS!

Comment on monitor users on win32

Replies are listed 'Best First'.
Re: monitor users on win32 by rchiav (Deacon) on Jul 20, 2001 at 19:15 UTC
I think you have two options. 1) Use Win32::Eventlog to read and parse the event logs. 2) Create login/logout scripts that do all of this for you. With this method, you could have the scripts update a database which could be directly tied to any billing system and web display. Hope this helps.. Rich	[reply]
Re: monitor users on win32 by joefission (Monk) on Jul 20, 2001 at 22:03 UTC
Sys Admin aspects to think about: How often will you run the script? Watch your security log settings. Make sure retention doesn't overwrite its contents more often than your script runs. Make sure log file maximum size will support the amount of data. Look how the logon and logoff Audit Policy is set. Will you charge for a failed logon (bad password, expired account, account locked out)? It can skew your data. Win32::AdminMisc::UserGetMiscAttributes is yet another method for getting a user's last logon. It won't give as much information as the EventLog, but is quick and easy to implement. `use Win32::AdminMisc; use strict; my $userName = 'me'; # Or gather user list with module my @server = ('PDC', 'BDC', 'Member' ); #Or use other means foreach my $server(@server) { Win32::AdminMisc::UserGetMiscAttributes("\\\\$server", $userName, +\my %Hash); next if $Hash{USER_LAST_LOGON} == 0; # didn't logon print "Last authentication (logon) for $userName in $server was ". +localtime($Hash{USER_LAST_LOGON})."\n"; }` [download]	[reply] [d/l]
(Guildenstern) Re: monitor users on win32 by Guildenstern (Deacon) on Jul 20, 2001 at 19:19 UTC
If you decide that getting the information from the event log is the way to go, take a look at Win32::EventLog. That'll let you extract the contents of the Security log, at which point you can apply good old Perl to parse the results. Logon and logoff events have different IDs, so it shouldn't be too tough to determine how long a user was logged in to a certain node. Guildenstern Negaterd character class uber alles!	[reply]