Solved

Filtering event 4624 by logon type

Posted on 2012-04-12
3
4,980 Views
Last Modified: 2012-04-12
I'm looking to find a way to filter event 4624 by logon type.  I want to only get logon type 2 and logon type 10.  Since the logon type is written in the message of the event I can't think of a way to filter on it.  The only way I've found is to dump all the 4624's to a text file via script and just search for type 2 and 10.  But I'd like to automate this if possible.
0
Comment
Question by:bigbigpig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 500 total points
ID: 37840869
In event viewer

under custom views.
Right click new view
Create Custom view

specify the even id and other details... this wll create the xml automatically
then under XML tab.. select check box edit query manually.. and change as per your requirement... below is just an example...you may have to modify for type of event (System,Security, Application.) if the line is comming multiple times...


<Select Path="S">*[System[(Level=2 or Level=10) and (EventID=4624)]]
0
 
LVL 10

Author Comment

by:bigbigpig
ID: 37841019
That didn't work but you got me in the right direction!  I looked in the events metadata to figure out what to query.  Here's what I used:

<Select Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=2 or Data=10)]]</Select>

Open in new window


Thank you!
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37841024
yeah.. i should have mentioned that those where just the steps how to do..
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question