Solved

Query Security logs for Logon

Posted on 2009-05-06
12
400 Views
Last Modified: 2013-11-18
I need a script to target a computer and use my current credentials or specified credentials and pull event id 528, 538, etc. or any event ID that gives successful logon.
0
Comment
Question by:LrdKanien
  • 8
  • 3
12 Comments
 
LVL 9

Expert Comment

by:SirtenKen
ID: 24321001
I was just reading the answer to a similar question yesterday. If you don't mind getting additional information, such as last logon time, try this PAQ:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_23683543.html
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322090
you can enter specified credentials in this lines:

UserName = ""
Password = ""

even if you leave blank(as is) the script will run
event id 538 is a log off event, didn't enter it to the script.
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
Next

Open in new window

0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322099
so the script will not bug with press ok message run it fro command line like this :

cscript scriptname.vbs
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 14

Expert Comment

by:yehudaha
ID: 24322110
this modeified will save the output to txt file
change log file path and name here:

Set objlog = objfso.CreateTextFile("c:\log.txt", true)
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.txt", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"

Open in new window

0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322113
crap messed up here
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.txt", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"

Open in new window

0
 

Author Comment

by:LrdKanien
ID: 24328209
ok, this is a great start.  Couple things I'd like to change though..

1.  The events are one after another, I was hoping to get an event as 1 line.  Such as user, logon type, time, etc.  Reading it in this form is not very easy.

2.  The time written is a number that must be system time in a format that I don't understand.  Anyway to change that to what I would consider normal time formatting?
0
 
LVL 14

Accepted Solution

by:
yehudaha earned 500 total points
ID: 24336552
1. script changed to write to csv format, easy to read

2. time changed to normal time format

here:
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.csv", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
            
   objlog.Write "Category" & ","
   objlog.Write "Computer Name" & ","
   objlog.Write "Event Code" & ","
   objlog.Write "Message" & ","
   objlog.Write "Record Number" & ","
   objlog.Write "Source Name" & ","
   objlog.Write "Time Written" & ","
   objlog.Write "Event Type" & ","
   objlog.Write "User" & ","
   objlog.WriteLine
 
For Each objEvent in colEvents
   objlog.Write Chr(34) & objEvent.Category & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.ComputerName & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.EventCode & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.Message & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.RecordNumber & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.SourceName & Chr(34) & "," 
   objlog.Write Chr(34) & WMIDateStringToDate(objEvent.TimeWritten) & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.Type & Chr(34) & ","
   objlog.Write Chr(34) & objEvent.User & Chr(34) 
   objlog.WriteLine
Next
 
MsgBox "done"
 
 
Function WMIDateStringToDate(dtmEventDate)
    WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & _
        Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) _
            & " " & Mid (dtmEventDate, 9, 2) & ":" & _
                Mid(dtmEventDate, 11, 2) & ":" & Mid(dtmEventDate, _
                    13, 2))
End Function

Open in new window

0
 

Author Comment

by:LrdKanien
ID: 24340036
The event type didn't show in the csv when I opened it in excel.  

The code rocks though, thank you very much for this start.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24345644
>> The event type didn't show in the csv when I opened it in excel.  

you mean event code ?

event code colum shows for me
0
 

Author Comment

by:LrdKanien
ID: 24345971
I miss typed.  I mean the logon type.  The logon type if usefull because it differentiates between unlocking, locking, logging on locally, remotely, etc.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24346749
you asked for "successful logon" script and this is what you got .

about logon type i dont' think there is a way to query such thing from the examples you gave like:
>> locking, logging on locally, remotely, etc.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24346751
but you can look in the user colum and see if it's a remote or local user event
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Batch, VBS, and scripts in general are incredibly useful for repetitive tasks.  Some tasks can take a while to complete and it can be annoying to check back only to discover that your script finished 5 minutes ago.  Some scripts may complete nearly …
When we want to run, execute or repeat a statement multiple times, a loop is necessary. This article covers the two types of loops in Python: the while loop and the for loop.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question