EventLog

So, I wanted to monitor a machine : when it’s powered on, powered off, when i log in, when i log off, when i lock my session and when i unlock it.

Using the EventLog Viewer, I can create personalized filters.
But some event aren’t loggued by default, including when I lock or unlock a session, be it directly or through the screensaver.

So first, I must activate thoses log.

If you’re lucky and have a professionnal/enterprise version (or higher) of windows, you can do it directly in
Group Policy
by going to
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy
and log success/failure for
Audit Logon
Audit Logoff
Audit Other Logon/Logoff Events

If you’re not lucky and have a home version (or similar), you can:
get the events with
wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true
activating them with
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
or through the registry:
psexec -s -i regedit
then go to
HKLM\SECURITY\Policy\PolAdtEv
and edit the hexadecimal data of the default key:
offsets 16, 18 and 24 should have "03" to log both success (&01) and failure(&02)
a reboot is necessary

Then, you can request against thoses events, using either WMI/WQL (thanks wbemtest/wmic), or XML filters/queries for the eventlog.
With the first choice, it’s not possible/pratical to make query for some specific attributes which are in array datatype, which WQL don’t support queries against.
With the second choice, you can do it easily.

Here’s my 3 filters:
1) startup / shutdown
<QueryList>
<Query Id="0" Path="System">
<Select Path="Security">*[System[(EventID=1100 or EventID=4608)]]</Select>
<Select Path="System">*[System[(Provider[(@Name!="SNMP" and @Name!="Microsoft-Windows-UserModePowerService")]) and (EventID=12 or EventID=13 or EventID=41 or EventID=1001 or EventID=6005 or EventID=6006 or EventID=6008 or EventID=6009)]]</Select>
</Query>
</QueryList>
2) lock / unlock
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803)]]</Select>
</Query>
</QueryList>
3) login / logoff
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=528 or EventID=529 or EventID=538 or EventID=540 or EventID=551 or EventID=672 or EventID=680 or EventID=4624 or EventID=4625 or EventID=4634 or EventID=4647 or EventID=4648 or EventID=4672 or EventID=4768 or EventID=4776 or EventID=7001 or EventID=7002)] and EventData[(Data[@Name="TargetUserName"]="sebbu" or Data[@Name="TargetUserName"]="zsbe17fr@yahoo.fr")]]</Select>
<Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] = "-"]]</Suppress>
</Query>
</QueryList>

Yes, both the username and the email (for Microsoft Account) can be found, depending on the EventID.

Now I just have to click on the filtered view, and I only see the events I’m interested in.
Maybe I’ll make a GUI for it later.

X11 Forwarding & X tools

Configuration

1. First, you need an X server installed (outside of the scope of this article), or at least some of the libs, to be able to run the apps.
   You also need xauth and maybe xhost (in the package x11-xserver-utils)
2. Second, you need ssh to accept X Forwarding (in /etc/ssh/sshd_config):
   X11Forwarding yes
X11UseLocalhost yes
X11DisplayOffset 10
3. Third, you need a real X server to display the X apps on the client (XMing, Cygwin/X, VcXsrv, etc...)
4. so that you can do export DISPLAY=localhost:10.0 and run X apps

Tools

• x11-apps
  xclock, rendercheck
• nux-tools
  unity_support_test
• x11-utils
  xdpyinfo, xdriinfo, xvinfo, xwininfo
• mesa-utils
  glxinfo, glxgears