Sometimes it is required to trace login/logoff activities of the administrator in order to be compliant with legal guidelines or simply for security reasons (see also our article “What to do with all those logs“). The Safed agent for Windows can be easily configured to collect administrator’s login/logoff. The agent is deployed with some administrator discovery commands, which it can execute in order to obtain the list of the admin of the domain and then to create a filtering objective. All events that concern with administrator’s login/logoff will be captured, formatted and then sent to the log server.
This simple solution may have its drawbacks. For example when Safed monitors a domain controller with Kerberos login/logoff authentications, the number of the captured events can become really high, creating fast growing log files on Safed, as well as on the collector server sides. Here some tuning has to be done. First of all, you have to set the administrator’s filter as the last evaluated one (see picture below). Then you can define some filtering objectives with the “Exclude General Search Type” enabled.
Fill the regexp enabled General Search Term field with what you need to be excluded from elaboration and forwarding (see picture below). So only what really is desired from the Administrator’s login/logoff will be processed by the last filter and forwarded to the log server.