Environment: Windows Server 2008 R2 with Samba 3.5 domain & OpenLDAP backend.
Background: on our previous Terminal Server (Windows Server 2003) we used logon/logoff scripts to log user logins and logouts respectively to plain text files on a network drive. Unfortunately we couldn't capture the remote IP address, only the workstation name.
Now that we're moving to Server 2008, we've discovered that the Event Log captures a huge amount of data - including the remote IP - but there doesn't seem to be an easy way to get the data that we want in the format that we want.
There are several resources that might be a step in the right direction:
My question is: do I try and get some sort of real-time export of events in human readable form (and how), or do I perform periodic parsing via a scheduled task (and how)?
It seems to me that if you really want real time data you could do a lot worse then go back to logon/logoff scripts. If you need the IP address of the client machine and are only getting the machine's name why not simply do an nslookup on it in the script? Depending on the scripting language you use there may even be a built-in function to do the lookup.
I'm sure plenty of others will have different ideas but if you do want to parse the event logs, for this or any other reason, Perl not only has the modules, it's hard to beat for processing the data. If you go down that path, regardless of the language you choose to use, I suggest you send the data you are interested to a database, from where it is much more easily manipulated, search, etc. Again, Perl makes this easy.
PowerShell (save Get-LogonFailures.ps1 and run)
You can stream this to logstash of course for central management with the windows clients for logstash, or to a management software like Azure Monitor or Solarwinds. Events will never be real time by the way.