[THIN] Re: Audit login/logoff for 1 user

  • From: Andrew Wood <andrew.wood@xxxxxxxxxxxxxxxx>
  • To: Thin <thin@xxxxxxxxxxxxx>
  • Date: Thu, 27 Nov 2014 18:57:59 +0000

Yes - but not with a custom view. I had a powershell script for a similar
function to output in .csv format

does this help?


--BEGIN
audit.ps1--------------------------------------------------------------------------
param(
[Parameter(Mandatory=$true)][string] $user
)

function ShowEventMsg {
 param ($myeventid)
switch ($myeventid) {
 4634   {return "An account was successfully logged off"}
4624   {return "An account was successfully logged on"}
4648 {return "A logon was attempted using explicit credentials"}
4625   {return "An account failed to log on"}
default {return "unknown event"}
}
}

#http://technet.microsoft.com/en-us/library/dd941635(v=ws.10).aspx
$logonoffs = get-eventlog -instanceid 4634,4624,4625,4648 -logname security
#$logonoffs = get-eventlog security| Where-Object {$_.EventID -eq 4634 -or
$_.EventID -eq 4624}

write-host "Auditing for " $user
foreach ($loo in $logonoffs) {
$accountname = ""
switch ($loo.eventid) {
 4634   {
$loo.message -split "Account Name:" -split "Account Domain:" |
select-object -first 1 -skip 1 | set-variable accountName
}
4624   {
$loo.message -split "New Logon:" | select-object -last 1 | set-variable
myinfo
$myinfo -split "New Logon:" -split "Account Name:" -split "Account Domain:"
| select-object -first 1 -skip 1 | set-variable accountName
}
4648 {
$loo.message -split "Account Whose Credentials Were Used:" | select-object
-last 1 | set-variable myinfo
$myinfo -split "New Logon:" -split "Account Name:" -split "Account Domain:"
| select-object -first 1 -skip 1 | set-variable accountName
}
4625   {
$loo.message -split "Account For Which Logon Failed:" | select-object -last
1 | set-variable myinfo
$myinfo -split "New Logon:" -split "Account Name:" -split "Account Domain:"
| select-object -first 1 -skip 1 | set-variable accountName
}
}
$accountname = $accountname.trim()
 if ( $accountName -eq $user ) {
$msg = $($loo.eventid -as [string])
+","+$(ShowEventMsg($loo.eventid))+","+$($loo.timegenerated -as
[string]).replace(" ",",")
write-host $msg
}

}

--END
audit.ps1--------------------------------------------------------------------------

On 25 October 2014 at 04:10, Angela <angela_smith9@xxxxxxxxxxx> wrote:

> Hi
>
> Does anyone know a way to interrogate Event Viewer to get login/logoff
> details for a specific user account (local account) in Windows 2008?.  I
> created a Custom View using a XML filter in Event Viewer with the following:
>
> <QueryList>
>   <Query Id="0" Path="Security">
>     <Select Path="Security">
>     *[System[(EventID=4624)
>     and
>     TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]
>     and
>     EventData[Data[@Name='TargetUserName'] and (Data='UserAccount')]
>     and
>     EventData[Data[@Name='LogonType'] and (Data='10')]]
>     </Select>
>   </Query>
> </QueryList>
>
> This works for logon info but cannot incorporate the logoff code as I get
> syntax errors.  Has anyone performed this?
>
> Thanks
>



-- 

Andrew





Gilwood CS

Sunderland, UK

Other related posts: