[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Query Security logs for Logon

Posted on 2009-05-06
12
Medium Priority
?
428 Views
Last Modified: 2013-11-18
I need a script to target a computer and use my current credentials or specified credentials and pull event id 528, 538, etc. or any event ID that gives successful logon.
0
Comment
Question by:LrdKanien
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
12 Comments
 
LVL 9

Expert Comment

by:SirtenKen
ID: 24321001
I was just reading the answer to a similar question yesterday. If you don't mind getting additional information, such as last logon time, try this PAQ:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_23683543.html
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322090
you can enter specified credentials in this lines:

UserName = ""
Password = ""

even if you leave blank(as is) the script will run
event id 538 is a log off event, didn't enter it to the script.
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
Next

Open in new window

0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322099
so the script will not bug with press ok message run it fro command line like this :

cscript scriptname.vbs
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:yehudaha
ID: 24322110
this modeified will save the output to txt file
change log file path and name here:

Set objlog = objfso.CreateTextFile("c:\log.txt", true)
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.txt", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"

Open in new window

0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322113
crap messed up here
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.txt", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"

Open in new window

0
 

Author Comment

by:LrdKanien
ID: 24328209
ok, this is a great start.  Couple things I'd like to change though..

1.  The events are one after another, I was hoping to get an event as 1 line.  Such as user, logon type, time, etc.  Reading it in this form is not very easy.

2.  The time written is a number that must be system time in a format that I don't understand.  Anyway to change that to what I would consider normal time formatting?
0
 
LVL 14

Accepted Solution

by:
yehudaha earned 2000 total points
ID: 24336552
1. script changed to write to csv format, easy to read

2. time changed to normal time format

here:
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.csv", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
            
   objlog.Write "Category" & ","
   objlog.Write "Computer Name" & ","
   objlog.Write "Event Code" & ","
   objlog.Write "Message" & ","
   objlog.Write "Record Number" & ","
   objlog.Write "Source Name" & ","
   objlog.Write "Time Written" & ","
   objlog.Write "Event Type" & ","
   objlog.Write "User" & ","
   objlog.WriteLine
 
For Each objEvent in colEvents
   objlog.Write Chr(34) & objEvent.Category & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.ComputerName & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.EventCode & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.Message & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.RecordNumber & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.SourceName & Chr(34) & "," 
   objlog.Write Chr(34) & WMIDateStringToDate(objEvent.TimeWritten) & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.Type & Chr(34) & ","
   objlog.Write Chr(34) & objEvent.User & Chr(34) 
   objlog.WriteLine
Next
 
MsgBox "done"
 
 
Function WMIDateStringToDate(dtmEventDate)
    WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & _
        Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) _
            & " " & Mid (dtmEventDate, 9, 2) & ":" & _
                Mid(dtmEventDate, 11, 2) & ":" & Mid(dtmEventDate, _
                    13, 2))
End Function

Open in new window

0
 

Author Comment

by:LrdKanien
ID: 24340036
The event type didn't show in the csv when I opened it in excel.  

The code rocks though, thank you very much for this start.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24345644
>> The event type didn't show in the csv when I opened it in excel.  

you mean event code ?

event code colum shows for me
0
 

Author Comment

by:LrdKanien
ID: 24345971
I miss typed.  I mean the logon type.  The logon type if usefull because it differentiates between unlocking, locking, logging on locally, remotely, etc.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24346749
you asked for "successful logon" script and this is what you got .

about logon type i dont' think there is a way to query such thing from the examples you gave like:
>> locking, logging on locally, remotely, etc.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24346751
but you can look in the user colum and see if it's a remote or local user event
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Recently, I got a requirement to zip all files individually with batch file script in Windows OS. I don't know much about scripting, but I searched Google and found a lot of examples and websites to complete my task. Finally, I was ab…
When we want to run, execute or repeat a statement multiple times, a loop is necessary. This article covers the two types of loops in Python: the while loop and the for loop.
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question