Almost one year ago, Roadmap was ISO 27001 certified. This was a great accomplishment for a startup of only a half a year old at that time. We weren’t entirely issue-free of course, we had a couple of minor issues to fix, but only a couple. In general, we were in control. One of these minor points was that we needed to get an alert when someone logged on to a server in the production environment. Why? Because people shouldn’t. There is no need to be on a production server for writing or deploying software, because we use Octopus deploy for deployments. The only developer who we’d expect to find logging on to servers is the one on call, he or she is in the ‘ops’ role of DevOps. And of course we’d expect Jeffrey, our dba.
Recently, someone asked me just how we created such an alert, so I decided to share how we did it.
Our first attempt of to get the alert was to leverage the windows event with id 4624 together with LogicMonitor (https://www.logicmonitor.com). It is great tool to monitor your servers, you should check it out. My thought was that I could use LogicMonitor to check the event log and warn whenever a user logs on. But the log was full of these events; Windows didn’t just log the logon events from me and my colleagues, but also from AD accounts that we use to run services / tools. We needed to filter the logins to see if there were some strange logins. Unfortunately, I was unable to filter to just the events to the level I needed, despite LogicMonitors powerful capabilities on filtering. Continue reading Alert on Login on Production environment