Network Security: Get-Winevent Part III: Querying the Event Log for Logons (Part B)

Friday, July 1, 2011

Get-Winevent Part III: Querying the Event Log for Logons (Part B)

This is a long post that I've edited from a answer I gave on Stack Overflow. Although the post is about how to audit logon information in the Security log of Windows 7, it is also about discovering methods to extract critical information from the 'Message' field of a "Logon Type" (ID=4624).

Get-WinEvent -max 100 | where { $_.Message | findstr /C:"Logon Type"} | Select Message | fl * | findstr /C:"Logon Type"

Logon Type: 5
Logon Type: 7
Logon Type: 7
Logon Type: 7
Logon Type: 7
Logon Type: 5
...

Get-WinEvent Security -max 100 | Select ID,Level,Message | where { $_.Message | findstr /C:"Logon Type"} | ft -auto -wrap | more

Id Level Message
-- ----- -------
4624 0 An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: RMFVPC$
Account Domain: RMFDEVELOPMENT
Logon ID: 0x3e7

Logon Type: 5
....
Now I introduce '-FilterHashtable' parameter which greatly speeds up queries. Below are two commands which do essentially the same thing in about the same period of time:

Get-WinEvent -max 100 -FilterHashtable @{Logname='security';ID=4624} | ft TimeCreated,MachineName,Message -auto -wrap | more

Get-WinEvent -max 100 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | ft -auto -wrap | more

TimeCreated MachineName Message
----------- ----------- -------
6/29/2011 12:36:35 PM rmfvpc An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: RMFVPC$
Account Domain: RMFDEVELOPMENT
Logon ID: 0x3e7

Logon Type: 5
...

Get-WinEvent -max 100 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | Select-string "Logon Type" | more

@{TimeCreated=06/29/2011 12:36:35; MachineName=rmfvpc; Message=An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: RMFVPC$
Account Domain: RMFDEVELOPMENT
Logon ID: 0x3e7

Logon Type: 5
...
This last script allows me to dump pre-selected information from the logon events Message field into a spreadsheet. Very useful.

$LogonTypes=Get-WinEvent -FilterHashtable @{Logname='security';Id=4624}
foreach ($item in $LogonTypes) {($item | Select TimeCreated, Message | fl * | findstr /G:search.lst) -replace" ","" -join "," | out-file -append test3.csv }

where search.lst :

TimeCreated
Security ID:
Account Name:
Account Domain:
Logon ID:
Logon Type:
Logon GUID:
Process Name:

The result is a spreadsheet that looks like this:

However, what I need is to be able to search the message field of multiple 'logon' events types...so on to

Get-Winevent Part III: Querying the Event Log for Logons (Part C)

4 comments:

UnknownApril 23, 2012 at 1:23 PM
When I tried this, I got a long list of:
FINDSTR: Cannot read strings from search.lst
ReplyDelete
Replies
ManuelJuly 30, 2013 at 3:56 PM
Ryan,
How would I apply your last script to multiple computers and if possible to an OU in Active Directory?

Thanks.
ReplyDelete
Replies
Muhammad HassanApril 4, 2018 at 9:43 AM
When you use a genuine service, you will be able to provide instructions, share materials and choose the formatting style. event planning
ReplyDelete
Replies

Add comment