Topic: trace back user on pc <<solved>>

[tropicalview]

Dear all,

thanks to the great logging functionalists of Linux in general and SME & Contribs special i managed to track back illegal browsing actions to the internal IP address of the computer (Sarg, and dansguardian)

Now i would like to know who has logged in on that machine (known is machine name, machine IP (static) and the time)
we have all PCs in the domain and the PCs and the network is configured with roaming profiles.

I thought i could be possible to get this out of the Samba log's but i was unsuccessful as the samba/IP logs are only error logs and not event logs.
is there some other log i can check to get the login / logout actions on the PCs attached to the network?

Kind regards,

[tropicalview]

Hi All,

I have found the answer already,
for other users having the same question there is a log file called "netlogon"
go to the server-manager panel,
go to view log files
select the netlogon and view.

[axessit]

I know it's an old post, but just thought I'd share with you the reason for using proxy user authentication - if you configure as per the dansguardian wiki, each time a user opens a web browser to go on the net, they have to enter their user name/password, then this gets inserted into the dansguardian log as to the user and the ipaddress of the client PC. I go one step further on some workstations and prohibit IE/Firefox/Safari from caching the password, so users are forced to enter it each time, so it stops someone browsing the web on a machine someone else has logged into.

Sun Apr 10 13:24:09 2011      3 192.168.2.140 TCP_DENIED/403 0 GET http://ads.trademe.co.nz/GetMultipleAds.aspx?ack...Ijc5QkZBQU jo DEFAULT_PARENT/127.0.0.1 -

You can then use the SME logviewer to filter by user, or the Sarg reports will show you usage by user as well (Very handy for finding out the bandwidth bandits).