Friday, July 1, 2011

Get-Winevent Part III: Querying the Event Log for Logons (Part B)

This is a long post that I've edited from a answer I gave on Stack Overflow.  Although the post is about how to audit logon information in the Security log of Windows 7, it is also about discovering methods to extract critical information from the 'Message' field of a "Logon Type" (ID=4624).  




Get-WinEvent -max 100 | where { $_.Message | findstr /C:"Logon Type"}  | Select Message | fl * | findstr /C:"Logon Type"

  Logon Type:            5
  Logon Type:            7
  Logon Type:            7
  Logon Type:            7
  Logon Type:            7
  Logon Type:            5
  ...

Get-WinEvent Security -max 100 | Select ID,Level,Message | where { $_.Message | findstr /C:"Logon Type"}  | ft -auto -wrap | more

  Id Level Message
  -- ----- -------
4624     0 An account was successfully logged on.

           Subject:
               Security ID:        S-1-5-18
               Account Name:        RMFVPC$
               Account Domain:        RMFDEVELOPMENT
               Logon ID:        0x3e7

           Logon Type:            5
....
Now I introduce '-FilterHashtable' parameter which greatly speeds up queries. Below are two commands which do essentially the same thing in about the same period of time:

Get-WinEvent -max 100 -FilterHashtable @{Logname='security';ID=4624} | ft TimeCreated,MachineName,Message -auto -wrap | more

Get-WinEvent -max 100 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | ft -auto -wrap | more

TimeCreated           MachineName Message
-----------           ----------- -------
6/29/2011 12:36:35 PM rmfvpc      An account was successfully logged on.

                                  Subject:
                                      Security ID:        S-1-5-18
                                      Account Name:        RMFVPC$
                                      Account Domain:        RMFDEVELOPMENT
                                      Logon ID:        0x3e7

                                  Logon Type:            5
...

Get-WinEvent -max 100 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | Select-string "Logon Type" | more

@{TimeCreated=06/29/2011 12:36:35; MachineName=rmfvpc; Message=An account was successfully logged on.

Subject:
    Security ID:        S-1-5-18
    Account Name:        RMFVPC$
    Account Domain:        RMFDEVELOPMENT
    Logon ID:        0x3e7

Logon Type:            5
...
This last script allows me to dump pre-selected information from the logon events Message field into a spreadsheet. Very useful.

 $LogonTypes=Get-WinEvent -FilterHashtable @{Logname='security';Id=4624}
 foreach ($item in $LogonTypes) {($item | Select TimeCreated, Message | fl * | findstr /G:search.lst) -replace"  ","" -join "," | out-file -append test3.csv }

where search.lst :

TimeCreated
Security ID:
Account Name:
Account Domain:
Logon ID:
Logon Type:
Logon GUID:
Process Name:

The result is a spreadsheet that looks like this:


However, what I need is to be able to search the message field of multiple 'logon' events types...so on to

Get-Winevent Part III: Querying the Event Log for Logons (Part C)

3 comments:

  1. When I tried this, I got a long list of:
    FINDSTR: Cannot read strings from search.lst

    ReplyDelete
    Replies
    1. Unknown:

      You need to create search.lst as a text file and store it in your path:

      TimeCreated
      Security ID:
      Account Name:
      Account Domain:
      Logon ID:
      Logon Type:
      Logon GUID:

      Delete
  2. Ryan,
    How would I apply your last script to multiple computers and if possible to an OU in Active Directory?

    Thanks.

    ReplyDelete