How to Review Login Events in a Windows Server

Login events play a crucial role in maintaining the security of a Windows Server. They provide valuable information about who accessed the server, when they accessed it, and whether any suspicious activity occurred. By reviewing login events, you can identify potential security threats, ensure that user accounts are being used appropriately, and maintain a secure server environment. 

In this blog post, we will guide you through the steps of enabling logon event auditing, viewing and filtering login events, and interpreting and taking action on login events. By following these steps, you can strengthen your server’s security and protect your organization from cyber threats.

Enable Logon Event Auditing

Enabling logon event auditing is the first step in reviewing login events in a Windows Server. Windows Server includes a built-in feature called Event Auditing, which records security-related events, such as logon events, in a log file. However, by default, Windows Server does not audit logon events, so you need to enable it manually.

To enable logon event auditing, follow these simple steps:

1. Open the Local Group Policy Editor by typing “gpedit.msc” in the search bar and pressing Enter.

2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.

3. Double-click the Audit logon events policy.
4.  Click OK after Selecting the Success and Failure check boxes.

5. Close the Local Group Policy Editor.

Once you have enabled logon event auditing, Windows Server will start recording logon events in the Security log. You can access the Security log through the Windows Event Viewer. With this feature enabled, you can now review login events and identify potential security threats on your server.

Windows Event Viewer

The Windows Event Viewer is a powerful tool that enables you to view and manage event logs on your Windows Server. It is a built-in feature and can be accessed through the Control Panel or the Start menu.

To access the Windows Event Viewer, follow these simple steps:

1. Click on the Start menu. In the search bar, type “Event Viewer”.
2. In the search results, click on “Event Viewer”.

3. Expand the “Windows Logs” folder.
4. Click on the “Security” log.

By following these steps, you can access the Security log, which contains important information about login events on your Windows Server. The Windows Event Viewer provides an easy-to-use interface for reviewing login events, enabling you to quickly identify any suspicious activity and take action to prevent potential security threats.

Viewing Logon Events

Once you have enabled logon event auditing and accessed the Security log in the Windows Event Viewer, you can start reviewing the logon events that have been recorded. By default, the Security log displays all events, not just logon events. To filter the log and show only logon events, you need to follow these steps:

1. In the Security log, click on the “Filter Current Log” button in the “Actions” pane on the right-hand side of the screen.

2. In the “Filter Current Log” dialog box, click on the “Event sources” drop-down list, and choose “”.
3. Select both the “Audit Success” and “Audit Failure” checkboxes in the “Keywords” field
4. In the “User” field, enter the name of the user whose logon events you want to view, or leave it blank to view all users.
5. Click “OK” to apply the filter.

Once you have applied the filter, the Security log will display only logon events that match your criteria. This makes it easier to review and analyze login activity on your Windows Server and identify any potential security threats. By regularly reviewing logon events and filtering the Security log, you can stay on top of your server’s security and prevent unauthorized access to your system.

Filter Only Logon Events

To filter the Security log to show only successful or failed logon events, you can use the Event IDs that are associated with these events. The Event ID for a successful logon event is 4624, and the Event ID for a failed logon event is 4625. Here are the steps to filter the log and view only successful logon events:

1. Open the Security log in the Windows Event Viewer.
2. Click the “Filter Current Log” button in the “Actions” pane on the right-hand side of the screen.
3. Choose “Microsoft Windows security auditing” from the “Event sources” drop-down list in the “Filter Current Log” dialog box.
4. In the “Keywords” field, select the “Audit Success” check box.
5. In the “Event IDs” field, enter 4624.
6. In the “User” field, enter the name of the user whose logon events you want to view, or leave it blank to view all users.
7. Click “OK” to apply the filter.

To filter the log and view only failed logon events, follow the same steps as above, but in step 4, select the “Audit Failure” check box, and in step 5, enter 4625 in the “Event IDs” field. By filtering the log to show only successful or failed logon events, you can quickly identify any suspicious activity and take appropriate action.

Interpreting and Taking Action on Login Events

After filtering the log to show only the logon events that you want to investigate, you can interpret and take action on the information provided in the event log. There are several key pieces of information that are important to review when analyzing logon events:

• Event ID: The Event ID indicates whether the logon event was successful or failed. As noted earlier, Event ID 4624 is for a successful logon event, and Event ID 4625 is for a failed logon event.
• Date and Time: The date and time of the logon event can help you identify when the event occurred and whether it coincides with any other events or activities.
• User Account: The user account associated with the logon event can help you identify who accessed the server. This information can be used to determine whether the logon event is expected or not.
• Logon Type: The logon type indicates how the user logged on to the server. There are various logon types, such as interactive, remote, and service logons.
• Source Network Address: The source network address helps you identify where the user was when they accessed the server. This information can be used to determine whether the logon event is suspicious or not.

If you find a suspicious logon event, it’s essential to take immediate action. Depending on the severity of the event, you may need to disable the associated user account, change passwords, or investigate further. Additionally, it’s always a good idea to review your security policies and procedures to ensure that you’re taking all necessary precautions to prevent similar events in the future.

Conclusion

Monitoring login events in a Windows Server is crucial for maintaining a secure and protected server environment. By enabling logon event auditing, accessing the Security log in the Windows Event Viewer, filtering the log to show only logon events, and understanding and responding to the important information provided by these events, you can quickly identify potential security threats and take appropriate action. Additionally, it is important to regularly review and update your security policies and procedures to ensure that you are employing the best practices to safeguard your sensitive data and prevent cyberattacks.