Link to home
Create AccountLog in
Avatar of pzozulka
pzozulka

asked on

List specific Events from the Security Event Log

Greetings,

I am in charge of a server that needs to collect logon/logoff security logs from various workstations.
I looked into a couple books laying around and found a VBS script. However, the script backs up everything, I need to narrow it down to only a specific user, and only event id = 528 or 551.

The script is below, how can it be modified to be more specific, or are there any other script that can do what I need?
On Error Resume Next
Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent")
 
Set FSO = CreateObject("Scripting.FileSystemObject")
Set txt = FSO.CreateTextFile("C:\Scriptfiles\vbs\text.txt", True)
For each Entry in EventLog
 If Len(Entry.Message) > 0 Then
  For x = 1 to Len(Entry.Message)
   Char = Mid(Entry.Message,x,1)
   If Asc(Char) = 10 Then
    MSG = MSG & " "
   ElseIf Asc(Char) <> 13 Then
    MSG = MSG & Char
   End If
  Next
 EDate = Mid(Entry.TimeGenerated,5,2) & "/" & _
  Mid(Entry.TimeGenerated,7,2) & "/" & _
  Mid(Entry.TimeGenerated,1,4)
 ETime = Mid(Entry.TimeGenerated,9,2) & ":" & _
  Mid(Entry.TimeGenerated,11,2) & ":" & _
  Mid(Entry.TimeGenerated,13,2)
 ETime = FormatDateTime(ETime,3)
 
 If IsNull(Entry.User)  Then
  User = "N/A"
 Else
  User = Entry.User
 End If
 
 If IsNull(Entry.CategoryString) Then
  Category = "none"
 Else
  Category =Entry.CategoryString
 End If
 
 EVT = Entry.LogFile & VBtab & _
 Entry.Type & VBtab & _
 EDate & VBtab & _
 ETime & VBTab & _
 Entry.SourceName & VBtab & _
 Category & VBtab & _
 Entry.EventCode & VBtab & _
 User & VBtab & _
 Entry.ComputerName & VBtab & _
 MSG
 txt.writeline EVT
 
 EVT = Null
 Char = Null
 MSG = Null
End If
Next
txt.close
Wscript.echo "Done"

Open in new window

Avatar of Member_2_4512246
Member_2_4512246

just replace the  second line of your script with a following line

Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent where (EventCode=7036 Or EventCode=7035) And User='exact_user_name'  ")

Disregard the previous comment. I typed  the wrong error codes. (just used them to test the solution)
The main idea is the same .

Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent where (EventCode=528 Or EventCode=551) And User='exact_user_name'  ")

Pay attention to the exact_user_name. If it is in form Domain\User or Computer\User  than you'll have to write it with a double slash  like 'Domain\\User'
For additional fields avaiable for  filtering take a look at http://msdn.microsoft.com/en-us/library/aa394226(VS.85).aspx
Avatar of pzozulka

ASKER

Hey, thanks for your response. The text output file is empty, no data inside. Without making alterations the script runs fine, when I change the second line to the below it runs fine:

Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent where logfile = 'Application'")

But when I change it to the below, it makes an empty output txt file:

Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent where logfile = 'Security'")
I tried running the script with your alterations and it also make the output file blank.
the output file is empty when  there is no records matching the search  criteria.
Please verify that you have records matching your where clause.
Do you have any records in the security log?
6,949 Events in Security Log.
Ok.
Let's try slightly different approach. In this version there  is no  filtering in the select statement.
Instead of this all the filtering  is done in the for loop. To make the code more readable I've restructured it and also added some informational printouts to see what's going on.

Please pay attention that the   On Error Resume Next directive is commented out.
This is to prevent silent skipping over  the errors.
Just replace Your_User_Name with the real  one and give a try.
'On Error Resume Next
Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent")
 
if EventLog.Count=0 Then 
 Wscript.echo "No Records Found"
else  
 Wscript.echo "Found " &  EventLog.Count & " records"
 Set FSO = CreateObject("Scripting.FileSystemObject")
 Set txt = FSO.CreateTextFile("C:\text.txt", True)
 i=0
 For each Entry in EventLog
	 If Not IsNull(Entry.User)  And  InStr(Entry.User,"Your_User_Name") AND (Entry.EventCode=528 Or Entry.EventCode=551) then
		SaveRecord Entry
		i=i+1
	 end if
 next	
 Wscript.echo "Added to file " &  i & " records"
 txt.close
end if
Wscript.echo "Done"
 
 
sub SaveRecord (Entry)
If Len(Entry.Message) > 0 Then
   For x = 1 to Len(Entry.Message)
    Char = Mid(Entry.Message,x,1)
    If Asc(Char) = 10 Then
     MSG = MSG & " "
    ElseIf Asc(Char) <> 13 Then
     MSG = MSG & Char
    End If
  Next
 EDate = Mid(Entry.TimeGenerated,5,2) & "/" & _
  Mid(Entry.TimeGenerated,7,2) & "/" & _
  Mid(Entry.TimeGenerated,1,4)
 ETime = Mid(Entry.TimeGenerated,9,2) & ":" & _
  Mid(Entry.TimeGenerated,11,2) & ":" & _
  Mid(Entry.TimeGenerated,13,2)
 ETime = FormatDateTime(ETime,3)
 
 If IsNull(Entry.User)  Then
  User = "N/A"
 Else
  User = Entry.User
 End If
 
 If IsNull(Entry.CategoryString) Then
  Category = "none"
 Else
  Category =Entry.CategoryString
 End If
 
 EVT = Entry.LogFile & VBtab & _
 Entry.Type & VBtab & _
 EDate & VBtab & _
 ETime & VBTab & _
 Entry.SourceName & VBtab & _
 Category & VBtab & _
 Entry.EventCode & VBtab & _
 User & VBtab & _
 Entry.ComputerName & VBtab & _
 MSG
 txt.writeline EVT
 
 EVT = Null
 Char = Null
 MSG = Null
End If
end sub

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Member_2_4512246
Member_2_4512246

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thanks man, success.