NTLast from FoundStone is a simple security auditing command line tool for Windows specifically targeted for serious security and IIS administration. Scheduled review of your NT event logs is critical for your network. A server breach can be uncovered by regular system auditing. Identifying and tracking who has gained access to your system, then documenting the details is now made easier with NTLast. This tool is able to quickly report on the status of IIS users, as well as filter out web server logons from console logons. NTLast can distinguish between remote and interactive logons and match Logon/Logoff times.
While NTLast is designed for Windows NT, it is a Win32 command line tool which works perfectly on Windows 2000, Windows XP and Windows 2003. NTLast can be run on the local system or on a remote system which has the Audit Logging enabled and the user running the command has Administrator privileges.
Some of the features of NTLast are
Can copy event logs to .evt, csv files and read of archived .evt files
Can search by dates before/after a date and in between a date range.
Can filter logons ‘From’ a certain host to zero in on suspected intrusions
Can filter out and distinguishes web log usage by directly allowing to search for IIS logs
Can filter Interactive, Remote or Failed logonsDistinguish between Remote & Interractive logons
Matches logon times with logoff times
NTLast can be downloaded from the following FounStone website:
http://www.foundstone.com/us/resources/proddesc/ntlast.htm
The download is a zip file with a command help file, FAQ along with the actual utility.
The following are example of how you can use this tool.
Failed Logon attempts for a user
C:\NTLast>ntlast /f /u jondoe
Track IIS Activity
C:\NTLast>ntlast /IIS
Copy Security Audit events from Remote server
C:\NTLast>ntlast -m \\server -file c:\log\sec.evt
C:\NTLast>ntlast -file \\server\log\sec.evt