I was recently asked to record when a user logon/logoff on a Windows workstation. Both MS and Samba¹ Active Directory implementations produce a lot of events related to user authentication and authorization. Samba seems to be missing a “logoff” trace.
But the goal here is to have a simple, readable log file with just the logon/logoff events traced.
The proposed solution is based on a PowerShell script that acts as syslog client. It runs on a Windows workstation and sends the logon/logoff events to its DC, where we run a rsyslogd service.
I configured a GPO to deploy the PowerShell script, but should work also on non-members workstations by tweaking the Windows Registry or similar.
The full description and implementation is available here: https://github.com/DavidePrincipi/gpoaudit
[1] https://wiki.samba.org/index.php/Setting_up_Audit_Logging