Windows Events monitoring

Hi guys,

Could you help me to find solution to extract Windows Logins events ? I need to find solution to monitor this every one week

Regularly check security logs for inordinate amounts of data LEAVING the network. Hint: it could be going to a bad guy. - How could I do this ?  

thank you
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Giovanni HewardCommented:
Have a look at ADAudit Plus for logon event monitoring and reporting.  Have you enabled auditing of the logon events of interest?
yodaaAuthor Commented:
Thanks but The think is that i cannot use any software so I am looking for solution that I will extract somehow
yodaaAuthor Commented:
I have auditing enabled on the server.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Giovanni HewardCommented:
What about PowerShell?
yodaaAuthor Commented:
Yes I can use scripts, I setup this
but  excel does not show User ID name, the column is empty and I do not know why ?
I am no good in the scripting so maybe anyone know what is wrong with the above script ?  

thank you
Giovanni HewardCommented:
I've attached a working script above... just rename to logonactivity.ps1 and ensure you run powershell from an elevated privileged administrative command prompt.

powershell -ep bypass -file ./logonactivity.ps1

Open in new window

yodaaAuthor Commented:
Hi  thank you I will test it tomorrow
yodaaAuthor Commented:
Hi Giovanni,

Ok so I run this script but I got this error,please see below.

File C:\temp\logonactivity.ps1 cannot be loaded. The file C:\temp\logonactivity.ps1 is not digitally signed. You cannot run this
script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies
    + CategoryInfo          : SecurityError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnauthorizedAccess
yodaaAuthor Commented:

Now I got this error .

Get-Eventlog : Requested registry access is not allowed.
At C:\temp\logonactivity.ps1:47 char:8
+ $log = Get-Eventlog -LogName Security -ComputerName $hostname -after  ...
+        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-EventLog], SecurityException
    + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.GetEventLogCommand
Giovanni HewardCommented:
You need to run powershell from an admin prompt.  Try running cmd.exe as Administrator, then run the following from the administrative command line.

powershell -ep bypass -file ./logonactivity.ps1

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
austin minorCommented:
Here are the steps you need to follow in order to successfully track user logon sessions using the event log:
yodaaAuthor Commented:
Thank you
yodaaAuthor Commented:
Thank you guys. Giovani I will open a new question if you can help me I would really  appreciate that
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.