Windows Events monitoring

yodaa
yodaa used Ask the Experts™
on
Hi guys,

Could you help me to find solution to extract Windows Logins events ? I need to find solution to monitor this every one week

Regularly check security logs for inordinate amounts of data LEAVING the network. Hint: it could be going to a bad guy. - How could I do this ?  

thank you
M
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Have a look at ADAudit Plus for logon event monitoring and reporting.  Have you enabled auditing of the logon events of interest?

Author

Commented:
Thanks but The think is that i cannot use any software so I am looking for solution that I will extract somehow

Author

Commented:
I have auditing enabled on the server.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

What about PowerShell?
logonactivity.ps1.txt

Author

Commented:
Yes I can use scripts, I setup this https://gallery.technet.microsoft.com/scriptcenter/Export-Windows-event-log-ecdfadfc
but  excel does not show User ID name, the column is empty and I do not know why ?
I am no good in the scripting so maybe anyone know what is wrong with the above script ?  

thank you
I've attached a working script above... just rename to logonactivity.ps1 and ensure you run powershell from an elevated privileged administrative command prompt.

powershell -ep bypass -file ./logonactivity.ps1

Open in new window

Author

Commented:
Hi  thank you I will test it tomorrow

Author

Commented:
Hi Giovanni,

Ok so I run this script but I got this error,please see below.

File C:\temp\logonactivity.ps1 cannot be loaded. The file C:\temp\logonactivity.ps1 is not digitally signed. You cannot run this
script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies
at http://go.microsoft.com/fwlink/?LinkID=135170.
    + CategoryInfo          : SecurityError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnauthorizedAccess

Author

Commented:
hi


Now I got this error .

Get-Eventlog : Requested registry access is not allowed.
At C:\temp\logonactivity.ps1:47 char:8
+ $log = Get-Eventlog -LogName Security -ComputerName $hostname -after  ...
+        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-EventLog], SecurityException
    + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.GetEventLogCommand
You need to run powershell from an admin prompt.  Try running cmd.exe as Administrator, then run the following from the administrative command line.

powershell -ep bypass -file ./logonactivity.ps1

Open in new window

Here are the steps you need to follow in order to successfully track user logon sessions using the event log: https://community.spiceworks.com/how_to/130398-how-to-track-user-logon-sessions-using-event-log

Author

Commented:
Thank you

Author

Commented:
Thank you guys. Giovani I will open a new question if you can help me I would really  appreciate that

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial