Solved

Query Security logs for Logon

Posted on 2009-05-06
12
407 Views
Last Modified: 2013-11-18
I need a script to target a computer and use my current credentials or specified credentials and pull event id 528, 538, etc. or any event ID that gives successful logon.
0
Comment
Question by:LrdKanien
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
12 Comments
 
LVL 9

Expert Comment

by:SirtenKen
ID: 24321001
I was just reading the answer to a similar question yesterday. If you don't mind getting additional information, such as last logon time, try this PAQ:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_23683543.html
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322090
you can enter specified credentials in this lines:

UserName = ""
Password = ""

even if you leave blank(as is) the script will run
event id 538 is a log off event, didn't enter it to the script.
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
Next

Open in new window

0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322099
so the script will not bug with press ok message run it fro command line like this :

cscript scriptname.vbs
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:yehudaha
ID: 24322110
this modeified will save the output to txt file
change log file path and name here:

Set objlog = objfso.CreateTextFile("c:\log.txt", true)
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.txt", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"

Open in new window

0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24322113
crap messed up here
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.txt", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"

Open in new window

0
 

Author Comment

by:LrdKanien
ID: 24328209
ok, this is a great start.  Couple things I'd like to change though..

1.  The events are one after another, I was hoping to get an event as 1 line.  Such as user, logon type, time, etc.  Reading it in this form is not very easy.

2.  The time written is a number that must be system time in a format that I don't understand.  Anyway to change that to what I would consider normal time formatting?
0
 
LVL 14

Accepted Solution

by:
yehudaha earned 500 total points
ID: 24336552
1. script changed to write to csv format, easy to read

2. time changed to normal time format

here:
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.csv", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
            
   objlog.Write "Category" & ","
   objlog.Write "Computer Name" & ","
   objlog.Write "Event Code" & ","
   objlog.Write "Message" & ","
   objlog.Write "Record Number" & ","
   objlog.Write "Source Name" & ","
   objlog.Write "Time Written" & ","
   objlog.Write "Event Type" & ","
   objlog.Write "User" & ","
   objlog.WriteLine
 
For Each objEvent in colEvents
   objlog.Write Chr(34) & objEvent.Category & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.ComputerName & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.EventCode & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.Message & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.RecordNumber & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.SourceName & Chr(34) & "," 
   objlog.Write Chr(34) & WMIDateStringToDate(objEvent.TimeWritten) & Chr(34) & "," 
   objlog.Write Chr(34) & objEvent.Type & Chr(34) & ","
   objlog.Write Chr(34) & objEvent.User & Chr(34) 
   objlog.WriteLine
Next
 
MsgBox "done"
 
 
Function WMIDateStringToDate(dtmEventDate)
    WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & _
        Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) _
            & " " & Mid (dtmEventDate, 9, 2) & ":" & _
                Mid(dtmEventDate, 11, 2) & ":" & Mid(dtmEventDate, _
                    13, 2))
End Function

Open in new window

0
 

Author Comment

by:LrdKanien
ID: 24340036
The event type didn't show in the csv when I opened it in excel.  

The code rocks though, thank you very much for this start.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24345644
>> The event type didn't show in the csv when I opened it in excel.  

you mean event code ?

event code colum shows for me
0
 

Author Comment

by:LrdKanien
ID: 24345971
I miss typed.  I mean the logon type.  The logon type if usefull because it differentiates between unlocking, locking, logging on locally, remotely, etc.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24346749
you asked for "successful logon" script and this is what you got .

about logon type i dont' think there is a way to query such thing from the examples you gave like:
>> locking, logging on locally, remotely, etc.
0
 
LVL 14

Expert Comment

by:yehudaha
ID: 24346751
but you can look in the user colum and see if it's a remote or local user event
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
When we want to run, execute or repeat a statement multiple times, a loop is necessary. This article covers the two types of loops in Python: the while loop and the for loop.
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question