SSIM TO AUDIT ADMINISTRATOR LOGON EVENTS ON WINDOWS SERVER 2003
in Italy there's a law that impose to the companies to log and mantain for 6 mounth the logon/logoff events of administrator user in system were is present personal data.
With ssim and collector for windows we are able to collect windows events from the security event log, we filter by event id and take only interactive logon logoff. Now we have to filter again to catch only logon events of user that have administrator privileges on that server, is this possible? How?