[THIN] Re: Audit login/logoff for 1 user
- From: Andrew Wood <andrew.wood@xxxxxxxxxxxxxxxx>
- To: Thin <thin@xxxxxxxxxxxxx>
- Date: Thu, 27 Nov 2014 18:57:59 +0000
Yes - but not with a custom view. I had a powershell script for a similar
function to output in .csv format
does this help?
--BEGIN
audit.ps1--------------------------------------------------------------------------
param(
[Parameter(Mandatory=$true)][string] $user
)
function ShowEventMsg {
param ($myeventid)
switch ($myeventid) {
4634 {return "An account was successfully logged off"}
4624 {return "An account was successfully logged on"}
4648 {return "A logon was attempted using explicit credentials"}
4625 {return "An account failed to log on"}
default {return "unknown event"}
}
}
#http://technet.microsoft.com/en-us/library/dd941635(v=ws.10).aspx
$logonoffs = get-eventlog -instanceid 4634,4624,4625,4648 -logname security
#$logonoffs = get-eventlog security| Where-Object {$_.EventID -eq 4634 -or
$_.EventID -eq 4624}
write-host "Auditing for " $user
foreach ($loo in $logonoffs) {
$accountname = ""
switch ($loo.eventid) {
4634 {
$loo.message -split "Account Name:" -split "Account Domain:" |
select-object -first 1 -skip 1 | set-variable accountName
}
4624 {
$loo.message -split "New Logon:" | select-object -last 1 | set-variable
myinfo
$myinfo -split "New Logon:" -split "Account Name:" -split "Account Domain:"
| select-object -first 1 -skip 1 | set-variable accountName
}
4648 {
$loo.message -split "Account Whose Credentials Were Used:" | select-object
-last 1 | set-variable myinfo
$myinfo -split "New Logon:" -split "Account Name:" -split "Account Domain:"
| select-object -first 1 -skip 1 | set-variable accountName
}
4625 {
$loo.message -split "Account For Which Logon Failed:" | select-object -last
1 | set-variable myinfo
$myinfo -split "New Logon:" -split "Account Name:" -split "Account Domain:"
| select-object -first 1 -skip 1 | set-variable accountName
}
}
$accountname = $accountname.trim()
if ( $accountName -eq $user ) {
$msg = $($loo.eventid -as [string])
+","+$(ShowEventMsg($loo.eventid))+","+$($loo.timegenerated -as
[string]).replace(" ",",")
write-host $msg
}
}
--END
audit.ps1--------------------------------------------------------------------------
On 25 October 2014 at 04:10, Angela <angela_smith9@xxxxxxxxxxx> wrote:
> Hi
>
> Does anyone know a way to interrogate Event Viewer to get login/logoff
> details for a specific user account (local account) in Windows 2008?. I
> created a Custom View using a XML filter in Event Viewer with the following:
>
> <QueryList>
> <Query Id="0" Path="Security">
> <Select Path="Security">
> *[System[(EventID=4624)
> and
> TimeCreated[timediff(@SystemTime) <= 2592000000]]
> and
> EventData[Data[@Name='TargetUserName'] and (Data='UserAccount')]
> and
> EventData[Data[@Name='LogonType'] and (Data='10')]]
> </Select>
> </Query>
> </QueryList>
>
> This works for logon info but cannot incorporate the logoff code as I get
> syntax errors. Has anyone performed this?
>
> Thanks
>
--
Andrew
Gilwood CS
Sunderland, UK
Other related posts:
