Solved

Filtering event 4624 by logon type

Posted on 2012-04-12
3
4,063 Views
Last Modified: 2012-04-12
I'm looking to find a way to filter event 4624 by logon type.  I want to only get logon type 2 and logon type 10.  Since the logon type is written in the message of the event I can't think of a way to filter on it.  The only way I've found is to dump all the 4624's to a text file via script and just search for type 2 and 10.  But I'd like to automate this if possible.
0
Comment
Question by:bigbigpig
  • 2
3 Comments
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 500 total points
ID: 37840869
In event viewer

under custom views.
Right click new view
Create Custom view

specify the even id and other details... this wll create the xml automatically
then under XML tab.. select check box edit query manually.. and change as per your requirement... below is just an example...you may have to modify for type of event (System,Security, Application.) if the line is comming multiple times...


<Select Path="S">*[System[(Level=2 or Level=10) and (EventID=4624)]]
0
 
LVL 10

Author Comment

by:bigbigpig
ID: 37841019
That didn't work but you got me in the right direction!  I looked in the events metadata to figure out what to query.  Here's what I used:

<Select Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=2 or Data=10)]]</Select>

Open in new window


Thank you!
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37841024
yeah.. i should have mentioned that those where just the steps how to do..
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now