Solved

powershell Get-WinEvent for logon events

Posted on 2014-02-18
5
2,011 Views
Last Modified: 2014-03-14
I have been doing a lot of research the past few days. I'm trying to get a very basic script to run on a Win 2008/Win7 that will give me a list of users who have logged on.

I found a bunch of scripts like the following

Get-WinEvent -computername $server -FilterHashTable @{Logname=$logname;ID=$eventid;StartTime=$starttime;EndTime=$endtime} | where { $_.Message | Select-String "Logon Type: 2" }

I'd like to have a starttime and endtime and I think it should just show the logon type of 2, if I'm not mistaken. It would be great if this could be output to a csv file. Any ideas? Thanks so much.
0
Comment
Question by:cb_it
  • 2
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
Prashant Girennavar earned 500 total points
ID: 39869184
Pipe the output to Export-csv

i.e

Get-WinEvent -computername $server -FilterHashTable @{Logname=$logname;ID=$eventid;StartTime=$starttime;EndTime=$endtime} | where { $_.Message | Select-String "Logon Type: 2" } | export-csv C:\winlogs.csv -notypeinformation

Let me know if this helps.

Thanks,

-Prashant Girennavar
0
 

Author Comment

by:cb_it
ID: 39870115
Thanks for the info. The script executes and a csv file is created but it's blank. With the script as is what is getting piped to the csv file?

I would like columns for account name, date, time, etc.

Any ideas??
0
 

Author Comment

by:cb_it
ID: 39870119
Just to be clear the main point of this is to run it on a server to get a csv list of who has logged in and when, nothing more. If there is a better script out there let me know! Thanks.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 39877646
Get-WinEvent -Computer $Server -FilterHashTable  @{
  Logname = 'Security'
  StartTime=$starttime
  EndTime=$endtime
  EventID = 4624
  Data=2
}

Open in new window

gets the respective entries. But parsing the result is a pain ...
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 39909917
I can't see how http:#a39869184 could have answered your question - the resulting file is empty, according to your response.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
A brief introduction to what I consider to be the best editor for PowerShell.
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question