IT Management Suite

 View Only
  • 1.  RDP / VNC report

    Posted Jul 22, 2021 05:58 AM
    Hi Experts,
    is there such a report / query / table that provides info about remoting into or from a target?
    (e.g: i would like to know from which IP / hostnames someone remoted in a windows station).

    tnx,
    Hagai


  • 2.  RE: RDP / VNC report

    Broadcom Employee
    Posted Jul 22, 2021 08:43 AM

    ITMS doesn't have such information from which IP someone logged in on this client PC remotely.
    For such purposes I think better to use custom inventory data class and find correct script to execute it via "Run Script" task on client computers to populate such information. For example
    tasklist /s computername /fi "imagename eq explorer.exe" /v


    Symantec Management Agent sends events to ITMS database about logged in/off account name and this information is stored in "Evt_AeX_Client_LogOn" sql table
    Thanks,
    IP.



    ------------------------------
    Software QA Engineer
    Broadcom Inc.
    ------------------------------



  • 3.  RE: RDP / VNC report

    Posted Jul 22, 2021 09:28 AM

    Thank you Igor!

    I will try that.

    Tnx,

    Hagai

    ---------------------------------------------------------------------
    A member of the Intel Corporation group of companies

    This e-mail and any attachments may contain confidential material for
    the sole use of the intended recipient(s). Any review or distribution
    by others is strictly prohibited. If you are not the intended
    recipient, please contact the sender and delete all copies.






  • 4.  RE: RDP / VNC report

    Posted Aug 26, 2021 11:16 AM
    Hi All! 
    i've been trying to tackle this article I found for extracting Windows Event Viewer logs:
    https://knowledge.broadcom.com/external/article?legacyId=HOWTO124451

    I wish to extract only specific attributes from event ID# 4624 (remote logon) - this will be able to grant me the RDP info I require.

    question is, since my VB Scripting is a bit slow, how the heck do I edit the Custom Data Inventory to successfully extract it?:
    created the Data Class (not sure how many Attributes to create if i wish to extract these details:
    TimeCreated SystemTime
    TargetUserName
    TargetDomainName
    WorkstationName
    FromIpAddress
    FromIpPort
    TimeGenerated

    any chance any one could help me edit the instance from the website and send me result ?

    i got confused when trying to understand if i am able to gather an info for a specific attribute from an event #, or can i only extract the entire event ID? (and how to achieve that)?

    Thanks,
    Hagai​


  • 5.  RE: RDP / VNC report

    Posted Aug 26, 2021 11:43 AM
    Also, and that's the real tricky part - i wish to take only the latest event, and not the full list with endless records. 
    is that even possible?

    tnx,
    Hagai


  • 6.  RE: RDP / VNC report

    Posted Aug 26, 2021 01:31 PM

    Here's one I did for auditing remote assistance events that shouldn't require much tweaking. Change the dataclass guid and event log parameters.

     

    $nseIndex= @{

        'TimeCreated'=0

        'Message'=1

        'UserId'=2

        'Id'=3

        'UserName'=4

    };

    $list=@();

    $nse=new-object-comobjectAltiris.AeXNSEvent;

    $nse.priority=1;

    $nse.To="{1592B913-72F3-4C36-91D2-D4EDA21D2F96}";

    $objDCInstance=$nse.AddDataClass($classguid);

    $objDataClass=$nse.AddDataBlock($objDCInstance);

    $events=Get-WinEvent-LogName'Microsoft-Windows-RemoteAssistance/Operational'|where-object{[string]$_.Id-notin@('31','32')}|select Id,Message,UserId,TimeCreated;

    for($i=0;$i-lt$events.Count;$i++){

        $objDataRow=$objDataClass.AddRow()

        foreach($prop in $nseIndex.Keys){

            if($events[$i]."$prop"){

                $objDataRow.SetField($nseIndex[$prop],[string]($events[$i].$prop));

            }

        }

        try{

            $objSID=New-ObjectSystem.Security.Principal.SecurityIdentifier([string]($events[$i].UserId));

            $objUser=$objSID.Translate([System.Security.Principal.NTAccount]);

            $objDataRow.SetField($nseIndex['UserName'],[string]$objUser);

        }catch{

            $objUser=$null

        }

    }

    $nse.sendqueued();

    Return$LASTEXITCODE;

     


     

     

     

     

     

    Description: Description: Description: <a href=image002.png@01CF6F9B.4453A460">

    Ben Barker

    Systems Engineer | Baptist Health System | 3451 Beach Blvd. Jacksonville, Florida 32207

     

    904.202.0686 (w) | 904.477.2705 (c)

    Benjamin.barker@bmcjax.com