Solved

Query Security logs for Logon

Posted on 2009-05-06
12
393 Views
Last Modified: 2013-11-18
I need a script to target a computer and use my current credentials or specified credentials and pull event id 528, 538, etc. or any event ID that gives successful logon.
0
Comment
Question by:LrdKanien
  • 8
  • 3
12 Comments
 
LVL 9

Expert Comment

by:SirtenKen
ID: 24321001
I was just reading the answer to a similar question yesterday. If you don't mind getting additional information, such as last logon time, try this PAQ:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_23683543.html
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322090
you can enter specified credentials in this lines:

UserName = ""
Password = ""

even if you leave blank(as is) the script will run
event id 538 is a log off event, didn't enter it to the script.
strComputer = inputbox("Enter Computer Name")

UserName = ""

Password = ""

Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")

Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 

Set colEvents = objWMIService.ExecQuery _

        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _

            & "EventCode = '528'")
 

For Each objEvent in colEvents

    Wscript.Echo "Category: " & objEvent.Category

    Wscript.Echo "Computer Name: " & objEvent.ComputerName

    Wscript.Echo "Event Code: " & objEvent.EventCode

    Wscript.Echo "Message: " & objEvent.Message

    Wscript.Echo "Record Number: " & objEvent.RecordNumber

    Wscript.Echo "Source Name: " & objEvent.SourceName

    Wscript.Echo "Time Written: " & objEvent.TimeWritten

    Wscript.Echo "Event Type: " & objEvent.Type

    Wscript.Echo "User: " & objEvent.User

Next

Open in new window

0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322099
so the script will not bug with press ok message run it fro command line like this :

cscript scriptname.vbs
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322110
this modeified will save the output to txt file
change log file path and name here:

Set objlog = objfso.CreateTextFile("c:\log.txt", true)
Set objfso = CreateObject("Scripting.FileSystemObject")

Set objfso = CreateObject("Scripting.FileSystemObject")

Set objlog = objfso.CreateTextFile("c:\log.txt", true)

 

strComputer = inputbox("Enter Computer Name")

UserName = ""

Password = ""

Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")

Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 

Set colEvents = objWMIService.ExecQuery _

        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _

            & "EventCode = '528'")
 

For Each objEvent in colEvents

   objlog.WriteLine "Category: " & objEvent.Category

   objlog.WriteLine "Computer Name: " & objEvent.ComputerName

   objlog.WriteLine "Event Code: " & objEvent.EventCode

   objlog.WriteLine "Message: " & objEvent.Message

   objlog.WriteLine "Record Number: " & objEvent.RecordNumber

   objlog.WriteLine "Source Name: " & objEvent.SourceName

   objlog.WriteLine "Time Written: " & objEvent.TimeWritten

   objlog.WriteLine "Event Type: " & objEvent.Type

   objlog.WriteLine "User: " & objEvent.User

Next
 

MsgBox "done"

 

strComputer = inputbox("Enter Computer Name")

UserName = ""

Password = ""

Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")

Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 

Set colEvents = objWMIService.ExecQuery _

        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _

            & "EventCode = '528'")
 

For Each objEvent in colEvents

   objlog.WriteLine "Category: " & objEvent.Category

   objlog.WriteLine "Computer Name: " & objEvent.ComputerName

   objlog.WriteLine "Event Code: " & objEvent.EventCode

   objlog.WriteLine "Message: " & objEvent.Message

   objlog.WriteLine "Record Number: " & objEvent.RecordNumber

   objlog.WriteLine "Source Name: " & objEvent.SourceName

   objlog.WriteLine "Time Written: " & objEvent.TimeWritten

   objlog.WriteLine "Event Type: " & objEvent.Type

   objlog.WriteLine "User: " & objEvent.User

Next
 

MsgBox "done"

Open in new window

0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322113
crap messed up here
Set objfso = CreateObject("Scripting.FileSystemObject")

Set objlog = objfso.CreateTextFile("c:\log.txt", true)

 

strComputer = inputbox("Enter Computer Name")

UserName = ""

Password = ""

Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")

Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 

Set colEvents = objWMIService.ExecQuery _

        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _

            & "EventCode = '528'")
 

For Each objEvent in colEvents

   objlog.WriteLine "Category: " & objEvent.Category

   objlog.WriteLine "Computer Name: " & objEvent.ComputerName

   objlog.WriteLine "Event Code: " & objEvent.EventCode

   objlog.WriteLine "Message: " & objEvent.Message

   objlog.WriteLine "Record Number: " & objEvent.RecordNumber

   objlog.WriteLine "Source Name: " & objEvent.SourceName

   objlog.WriteLine "Time Written: " & objEvent.TimeWritten

   objlog.WriteLine "Event Type: " & objEvent.Type

   objlog.WriteLine "User: " & objEvent.User

Next
 

MsgBox "done"

Open in new window

0
 

Author Comment

by:LrdKanien
ID: 24328209
ok, this is a great start.  Couple things I'd like to change though..

1.  The events are one after another, I was hoping to get an event as 1 line.  Such as user, logon type, time, etc.  Reading it in this form is not very easy.

2.  The time written is a number that must be system time in a format that I don't understand.  Anyway to change that to what I would consider normal time formatting?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 14

Accepted Solution

by:
yehudaha earned 500 total points
ID: 24336552
1. script changed to write to csv format, easy to read

2. time changed to normal time format

here:
Set objfso = CreateObject("Scripting.FileSystemObject")

Set objlog = objfso.CreateTextFile("c:\log.csv", true)

 

strComputer = inputbox("Enter Computer Name")

UserName = ""

Password = ""

Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")

Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)

 

Set colEvents = objWMIService.ExecQuery _

        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _

            & "EventCode = '528'")

            

   objlog.Write "Category" & ","

   objlog.Write "Computer Name" & ","

   objlog.Write "Event Code" & ","

   objlog.Write "Message" & ","

   objlog.Write "Record Number" & ","

   objlog.Write "Source Name" & ","

   objlog.Write "Time Written" & ","

   objlog.Write "Event Type" & ","

   objlog.Write "User" & ","

   objlog.WriteLine

 

For Each objEvent in colEvents

   objlog.Write Chr(34) & objEvent.Category & Chr(34) & "," 

   objlog.Write Chr(34) & objEvent.ComputerName & Chr(34) & "," 

   objlog.Write Chr(34) & objEvent.EventCode & Chr(34) & "," 

   objlog.Write Chr(34) & objEvent.Message & Chr(34) & "," 

   objlog.Write Chr(34) & objEvent.RecordNumber & Chr(34) & "," 

   objlog.Write Chr(34) & objEvent.SourceName & Chr(34) & "," 

   objlog.Write Chr(34) & WMIDateStringToDate(objEvent.TimeWritten) & Chr(34) & "," 

   objlog.Write Chr(34) & objEvent.Type & Chr(34) & ","

   objlog.Write Chr(34) & objEvent.User & Chr(34) 

   objlog.WriteLine

Next

 

MsgBox "done"
 
 

Function WMIDateStringToDate(dtmEventDate)

    WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & _

        Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) _

            & " " & Mid (dtmEventDate, 9, 2) & ":" & _

                Mid(dtmEventDate, 11, 2) & ":" & Mid(dtmEventDate, _

                    13, 2))

End Function

Open in new window

0
 

Author Comment

by:LrdKanien
ID: 24340036
The event type didn't show in the csv when I opened it in excel.  

The code rocks though, thank you very much for this start.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24345644
>> The event type didn't show in the csv when I opened it in excel.  

you mean event code ?

event code colum shows for me
0
 

Author Comment

by:LrdKanien
ID: 24345971
I miss typed.  I mean the logon type.  The logon type if usefull because it differentiates between unlocking, locking, logging on locally, remotely, etc.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24346749
you asked for "successful logon" script and this is what you got .

about logon type i dont' think there is a way to query such thing from the examples you gave like:
>> locking, logging on locally, remotely, etc.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24346751
but you can look in the user colum and see if it's a remote or local user event
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

How to remove superseded packages in windows w60 or w61 installation media (.wim) or online system to prevent unnecessary space. w60 means Windows Vista or Windows Server 2008. w61 means Windows 7 or Windows Server 2008 R2. There are various …
When we want to run, execute or repeat a statement multiple times, a loop is necessary. This article covers the two types of loops in Python: the while loop and the for loop.
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now