WindowsEventMonitor
0.0.4
The scheduled task will be triggered on any user logon to vm as well as every given $repetitionIntervalInMin intervals
that watches the windows events triggered by logon and logoff events as well as netstat and quser query results
to infer if there are any active rdp or ssh session connected to vm.
# Windows VM event monitor
# This tool contains the scripts th
that watches the windows events triggered by logon and logoff events as well as netstat and quser query results
to infer if there are any active rdp or ssh session connected to vm.
# Windows VM event monitor
# This tool contains the scripts th
The scheduled task will be triggered on any user logon to vm as well as every given $repetitionIntervalInMin intervals
that watches the windows events triggered by logon and logoff events as well as netstat and quser query results
to infer if there are any active rdp or ssh session connected to vm.
# Windows VM event monitor
# This tool contains the scripts that can run as scheduled task under System account and are capable or reading the windows event log and put it to Log Analytics.
# Logon indication events:
Gets the details of the latest windows logoff related events and returns the latest event among those events. The list of events considered to be logoff related are
- `OpenSSHApplication`: OpenSSH/Operational This OpenSSH application event is generated when SSH connected
- `4648`: This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials..
- `4624`: This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
- `5140`: This event generates every time network share object was accessed.
- `4801`: This event is generated when workstation was unlocked.
- `4634`: This is not a logoff event but session end event, disabled as it gets fired for both logon/logoff
# Logoff indication events:
Gets the details of the latest windows logoff related events and returns the latest event among those events. The list of events considered to be logoff related are
- `OpenSSHApplication`: OpenSSH/Operational This OpenSSH application event is generated when SSH disconnect is requested
- `4647`: This event is generated when a logoff is initiated. No further user-initiated activity can occur for related logon ref.
- `4779`: This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.
- `4689`: This event is generated when process is terminated. (Disabled for calculations as netstat provides if any ssh connection is active.
# Active Sessions and SSH connection:
`quser` Event Monitor gathers the data about which users and active sessions exist on the machine. It will send the log with each session's idle time. `netstat -b` gives the indication if there is any active ssh connection to the machine.
# Miscellaneous windows events:
In addition to logon and logoff related events this tools is `capable of tracking miscellaneous windows event` that can be dynamically provided as input to task while its registration.
`Version: Scripts to VM Event Monitor`
Show more
that watches the windows events triggered by logon and logoff events as well as netstat and quser query results
to infer if there are any active rdp or ssh session connected to vm.
# Windows VM event monitor
# This tool contains the scripts that can run as scheduled task under System account and are capable or reading the windows event log and put it to Log Analytics.
# Logon indication events:
Gets the details of the latest windows logoff related events and returns the latest event among those events. The list of events considered to be logoff related are
- `OpenSSHApplication`: OpenSSH/Operational This OpenSSH application event is generated when SSH connected
- `4648`: This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials..
- `4624`: This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
- `5140`: This event generates every time network share object was accessed.
- `4801`: This event is generated when workstation was unlocked.
- `4634`: This is not a logoff event but session end event, disabled as it gets fired for both logon/logoff
# Logoff indication events:
Gets the details of the latest windows logoff related events and returns the latest event among those events. The list of events considered to be logoff related are
- `OpenSSHApplication`: OpenSSH/Operational This OpenSSH application event is generated when SSH disconnect is requested
- `4647`: This event is generated when a logoff is initiated. No further user-initiated activity can occur for related logon ref.
- `4779`: This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.
- `4689`: This event is generated when process is terminated. (Disabled for calculations as netstat provides if any ssh connection is active.
# Active Sessions and SSH connection:
`quser` Event Monitor gathers the data about which users and active sessions exist on the machine. It will send the log with each session's idle time. `netstat -b` gives the indication if there is any active ssh connection to the machine.
# Miscellaneous windows events:
In addition to logon and logoff related events this tools is `capable of tracking miscellaneous windows event` that can be dynamically provided as input to task while its registration.
`Version: Scripts to VM Event Monitor`
Installation Options
Owners
Copyright
(c) Microsoft. All rights reserved.
Requires License Acceptance
Package Details
Author(s)
- ranavale
Tags
Windows EventMonitor ConnectionMonitor PowerShell VirtualMachineMonitor Security EventLogs
Functions
Register-VMMonitorTask Unregister-EventMonitor Start-EventMonitor Stop-EventMonitor Enable-EventMonitor Disable-EventMonitor Get-EventMonitor
Dependencies
This module has no dependencies.
Release Notes
0.0.1 20230723
* Initial beta release to PS Gallery
FileList
- WindowsEventMonitor.nuspec
- License.txt
- README.md
- WindowsEventMonitor.psd1
- EventMonitor\EMCommon.psm1
- EventMonitor\LogoffIndicators.psm1
- EventMonitor\LogonIndicators.psm1
- EventMonitor\MiscellaneousEvents.psm1
- EventMonitor\Start-EventMonitor.ps1
- EventMonitor\Telemetry\AITelemetry.psm1
- EventMonitor\Telemetry\Logs.txt
- EventMonitor\Telemetry\Microsoft.ApplicationInsights.dll
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 0.0.4 (current version) | 1,848 | 7/28/2023 |