Hello Everyone,
I am trying to deploy an action that can trigger on Login event in windows machines. Is is feasible in Bigfix. We are on version 11.0.3.
You got the event log inspector - https://developer.bigfix.com/relevance/reference/event-log.html
What is your specific criteria for applying the action?
Thank you Orbiton. I want to trigger my action when user login the machine. Action should wait until it gets next login event on machine.
Iâd be interested to better understand the use case here if youâre able to share more details.
That said, there is a deployment option to constrain actions to execute when users are present. See the following for reference:
- Console: Users Tab
- WebUI: Configuration Options
@mishravk23, have you tried something like adding âexists current userâ to the relevance of your job? If you make a policy action targeting a group of machines, then when someone logs on, the machine would become relevant and run.
Hi Orbiton,
I want that action will execute at the login time, actually we are migrating VPN in our environment at it is disrupting few apps for few mins. So to avoid the impact on users we want to schedule it to trigger on next login as we are expecting that if it will execute at during login then it will not impact any critical process that user is doing during the working hours.
Hi, In that case it will execute if user is presently working on the machine. we want to avoid that we want do it like startup script.
@mishravk23 please check to following:
Youâre looking to identify user login events in the Windows Event Viewer, covering both local and Remote Desktop Protocol (RDP) logins. Hereâs how you can achieve this, along with the relevant event IDs and filtering techniques:
Key Event IDs:
- 4624 (An account was successfully logged on): This is the primary event ID youâll be working with. It captures both local and remote logins.
- 4634 (An account was logged off): This event ID indicates logoff events, which can be useful for tracking session durations.
Filtering for Local and RDP Logins:
To distinguish between local and RDP logins, youâll need to examine the âLogon Typeâ field within the 4624 event details. - Local Logins:
- Logon Type: 2 (Interactive)
- RDP Logins:
- Logon Type: 10 (RemoteInteractive)
Steps to Filter in Event Viewer:
- Logon Type: 10 (RemoteInteractive)
- Open Event Viewer:
- Press Windows key + R, type eventvwr.msc, and press Enter.
- Navigate to Windows Logs > Security:
- In the left pane, expand âWindows Logsâ and select âSecurity.â
- Filter Current Log:
- In the right pane, click âFilter Current LogâŚâ
- Enter Event ID:
- In the âEvent IDsâ field, enter 4624.
- Filter by Logon Type (Optional):
- To further refine the results, switch to the âXMLâ tab.
- Here you can input XML queries.
- Local Logins XML Query:
- *[System[EventID=4624] and EventData[Data[@Name=âLogonTypeâ]=â2â]]
- RDP Logins XML Query:
- *[System[EventID=4624] and EventData[Data[@Name=âLogonTypeâ]=â10â]]
- Paste the appropiate query into the XML filter field.
- Click OK:
- The Event Viewer will now display only the events that match your filter criteria.
- Examine Event Details:
- Double-click an event to view its details.
- Pay close attention to the âAccount Name,â âLogon Type,â âLogon ID,â and âSource Network Addressâ (for RDP logins).
Important Notes:
- Security Auditing: Ensure that security auditing is enabled for logon events. If not, the events wonât be logged. You can configure this in the Local Security Policy (secpol.msc).
Can you please make sure that those events are being written on the event viewer?
2 Likes
If youâre going to depend on user interaction, why not send it with a "user confirmationâ interaction in the Action Settings?
Otherwise, Iâd recommend dropping a script into one of the startup areas in Windows - the Run key of the registry, the Start Menu\Programs\Startup folder,.the Task Scheduler, or the Active setup registry keys.