Solved

extract logon/logoff from Windows 2008 event logs

Posted on 2011-03-18
5
1,285 Views
Last Modified: 2012-05-11
Hello,

Windows Server 2008 64-bit.

I'm looking for a way to parse logon/logoff activity for a specific user from the logon server's evtx files. I've checked out several snipets of batch and VBS files but have not been able to get them to work with evtx files.

Thanks,

Geoff
0
Comment
Question by:geoffdavis
  • 2
5 Comments
 
LVL 6

Accepted Solution

by:
Raneesh Chitootharayil earned 250 total points
ID: 35170209
0
 
LVL 8

Assisted Solution

by:Volox
Volox earned 250 total points
ID: 35172523
There is the LogParser that MS makes available...
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

It not only will parse logs and let you search through them, it will allow you to do it for multiple source machines at the same time - so if you have multiple domain controllers, you can search the logs of all of them to find the entry you are looking for.

Check out the pre-built queries that are included (or at least they used to be included) that will help get you started.
0
 
LVL 8

Expert Comment

by:Volox
ID: 35732985
I think that raneeshcr gave a link to a valid thread and without feedback I have no reason to believe that my answer did not provide a viable solution.  I suggest a split of points between the two of us that responded to this questino.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Outlook Free & Paid Tools
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now