Jaa


Tracking RRAS users in Windows 2003 server

The most widely asked questions are how do we accomplish tracking for the RRAS users. The key requirements are:

1. Track users who log on through Remote Access Services

2. Track/monitor the amount of time each user spends logged in

These can be achieved using the IAS log files that are generated in %windir%\system32\Logfiles. Additionally the tool “IASParse.exe” will be of immense use to help you parse these logs. Information about IASParse.exe is available at https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/5859c567-8c92-4212-b461-87729bb5daf7.mspx

The IAS log files will have the information logged in a format which will be difficult to comprehend. (Please see attached file iaslog.txt for sample IAS logs). However, IASParse can be used to decode these IAS log files into readable format . The IAS log files should be in ‘IAS’ format for this (There are two options – IAS format and database compatible format)

1. Track users who log on through Remote Access Services

A portion of the log file generated by IASParse is as follows:

 …

 …

 NAS-IP-Address : 65.52.46.226

 User-Name : FAREAST\jananiv

 Record-Date : 07/25/2005

 Record-Time : 10:59:03

 Service-Name : RAS

 …

 …

 Packet-Type : Access-Accept

 Reason-Code : The operation completed successfully.

 An “Access-Accept” is logged when the user is successfully authenticated. So, parsing this file will help in getting information about all users.

  1. Track/monitor the amount of time each user spends logged in

Apart from the authentication requests as above, if we choose to log the ‘Accounting requests’ also - This needs to be selected in the RRAS console à Remote Access Logging à Doubleclick ‘Local file’ à Checking both ‘Authentication requests’ and ‘Accounting requests’ – a accounting request is logged once during the connection establishment and once during connection termination and both have the Record-Date and Record-Time logged. From these values for the both accounting requests, the time for which the user was connected can be calculated.

 User-Name : FAREAST\jananiv

 Record-Date : 07/25/2005

 Record-Time : 10:59:03

  …..

  …..

 Acct-Status-Type : Start

 Client-IP-Address : 65.52.46.226

  …..

  …..

 Packet-Type : Accounting-Request

 Reason-Code : The operation completed successfully.

User-Name : FAREAST\jananiv

 Record-Date : 07/25/2005

 Record-Time : 10:59:18

  …..

  …..

 Acct-Status-Type : Stop

 Client-IP-Address : 65.52.46.226

  …..

  …..

 Packet-Type : Accounting-Request

 Reason-Code : The operation completed successfully.

2. Another solution would be to use the RAS Administration DLLs.

 A RAS Administration DLL can be written whose MprAdminAcceptNewConnection2 can be implemented such that the username for the connection is logged (This can be got from the ‘wszUserName’ member of the pRasConnection2 parameter passed to MprAdminAcceptNewConnection2) and also the user connect time is logged.

MprAdminConnectionHangupNotification2 need to be implemented such that the time for which the user has been connected should be calculated. (Additional checking may have to be done here to see which user disconnected and if it is the same connection)

Information about administration DLL functions is available at

https://msdn.microsoft.com/library/default.asp?url=/library/en-us/rras/rras/ras_administration_dll.asp

3. To get the activity on a WAN Miniport (PPTP/L2TP) – which is the case when a VPN client connects to the server – the “Performance Counters” which come with the OS can be used. Performance logs can be generated for each port. However, this will not give the details about the user who connected to that port.

Thanks,

Janani

Comments