Solved

Query Security logs for Logon

Posted on 2009-05-06
12
413 Views
Last Modified: 2013-11-18
I need a script to target a computer and use my current credentials or specified credentials and pull event id 528, 538, etc. or any event ID that gives successful logon.
0
Comment
Question by:LrdKanien
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
12 Comments
 
LVL 9

Expert Comment

by:SirtenKen
ID: 24321001
I was just reading the answer to a similar question yesterday. If you don't mind getting additional information, such as last logon time, try this PAQ:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_23683543.html
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322090
you can enter specified credentials in this lines:

UserName = ""
Password = ""

even if you leave blank(as is) the script will run
event id 538 is a log off event, didn't enter it to the script.
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
Next

Open in new window

0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322099
so the script will not bug with press ok message run it fro command line like this :

cscript scriptname.vbs
0
Stressed Out?

Watch some penguins on the livecam!

 
LVL 14

Expert Comment

by:yehudaha
ID: 24322110
this modeified will save the output to txt file
change log file path and name here:

Set objlog = objfso.CreateTextFile("c:\log.txt", true)
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.txt", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"

Open in new window

0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322113
crap messed up here
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.txt", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"

Open in new window

0
 

Author Comment

by:LrdKanien
ID: 24328209
ok, this is a great start.  Couple things I'd like to change though..

1.  The events are one after another, I was hoping to get an event as 1 line.  Such as user, logon type, time, etc.  Reading it in this form is not very easy.

2.  The time written is a number that must be system time in a format that I don't understand.  Anyway to change that to what I would consider normal time formatting?
0
 
LVL 14

Accepted Solution

by:
yehudaha earned 500 total points
ID: 24336552
1. script changed to write to csv format, easy to read

2. time changed to normal time format

here:
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.csv", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
            
   objlog.Write "Category" & ","
   objlog.Write "Computer Name" & ","
   objlog.Write "Event Code" & ","
   objlog.Write "Message" & ","
   objlog.Write "Record Number" & ","
   objlog.Write "Source Name" & ","
   objlog.Write "Time Written" & ","
   objlog.Write "Event Type" & ","
   objlog.Write "User" & ","
   objlog.WriteLine
 
For Each objEvent in colEvents
   objlog.Write Chr(34) & objEvent.Category & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.ComputerName & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.EventCode & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.Message & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.RecordNumber & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.SourceName & Chr(34) & "," 
   objlog.Write Chr(34) & WMIDateStringToDate(objEvent.TimeWritten) & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.Type & Chr(34) & ","
   objlog.Write Chr(34) & objEvent.User & Chr(34) 
   objlog.WriteLine
Next
 
MsgBox "done"
 
 
Function WMIDateStringToDate(dtmEventDate)
    WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & _
        Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) _
            & " " & Mid (dtmEventDate, 9, 2) & ":" & _
                Mid(dtmEventDate, 11, 2) & ":" & Mid(dtmEventDate, _
                    13, 2))
End Function

Open in new window

0
 

Author Comment

by:LrdKanien
ID: 24340036
The event type didn't show in the csv when I opened it in excel.  

The code rocks though, thank you very much for this start.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24345644
>> The event type didn't show in the csv when I opened it in excel.  

you mean event code ?

event code colum shows for me
0
 

Author Comment

by:LrdKanien
ID: 24345971
I miss typed.  I mean the logon type.  The logon type if usefull because it differentiates between unlocking, locking, logging on locally, remotely, etc.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24346749
you asked for "successful logon" script and this is what you got .

about logon type i dont' think there is a way to query such thing from the examples you gave like:
>> locking, logging on locally, remotely, etc.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24346751
but you can look in the user colum and see if it's a remote or local user event
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you haven’t already, I encourage you to read the first article (http://www.experts-exchange.com/articles/18680/An-Introduction-to-R-Programming-and-R-Studio.html) in my series to gain a basic foundation of R and R Studio.  You will also find the …
Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.
The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question