Get-WinEvent Obtain Interactive Logon Messages Only

Related searches

I am attempting to get this PS script going to pull the Security log from multiple machines and only search for the Event ID of 4624 and only show me the logs that contain "Logon Type: 2" or interactive logon. I have everything else working except for the part of obtaining only those logs for interactive logon's only. Here is a snip of my script, if anyone has any idea how to get this going it would be greatly appreciated. If I take the 2 out of "Logon Type" it works and I get everything, but if I have anything after that it does not kick any errors, but it doesn't yield results either. Yes, I have verified that I have interactive logon events during my filtered timeframe. Thanks.

$server; Get-WinEvent -computername $server -FilterHashTable @{Logname=$logname;ID=$eventid;StartTime=$starttime;EndTime=$endtime} | where { $_.Message | Select-String "Logon Type: 2" }

Tim

EventRecord.properties have logon type in the list. To filter out successful logon events of interactive logon type for today:

Get-winevent -FilterHashtable @{logname='security'; id=4624; starttime=(get-date).date} | where {$_.properties[8].value -eq 2}

Find the Logon and Logoff Times of a Specific User, find entries that are only for a specific User, and have Event IDs 4624 and 4634 . I can use Get-EventLog -ComputerName dc01-LogName Security interactive logons, going on the basis that the event Message would contain If anyone can provide me with a script that gets the Interactive Logon events� When I run a below command to list log by ID, it says Get-WinEvent : No events were found that match the specified selection criteria.. How can I catch this exception and display a simple message saying "No events found".

The solution to the problem of how to match the white space between the semicolon and the number 2 in the first code example at the top of this article is to use a PowerShell regular expression pattern written like this \s+.

The pattern characters are case sensitive and typically used with the "-match" operator, but can be effectively employed with the Select-String commandlet as written in the poster’s original query. The modified code would look like this:

Get-WinEvent -FilterHashTable @{LogName="Security";ID=4624} | where { $_.Message | Select-String "Logon Type:\s+2"} 

Additionally, if the PowerShell script needs to query older operating systems that still use classical event logs, the Get-EventLog commandlet can be likewise employed with the same pattern as shown here:

Get-EventLog -LogName Security -InstanceID 4624 | Where {$_.Message -match "Logon Type:\s+2"}

PowerShell regular expression references:

https://technet.microsoft.com/en-us/magazine/2007.11.powershell.aspx https://www.petri.com/powershell-string-parsing-with-regular-expressions

Note: the regex pattern referenced in this answer is described by Microsoft as a "character class".

Clark Froebe

Finding remote or local login events and types using PowerShell , With the help of the Get-WinEvent PowerShell cmdlet, you can easily. Login � Register � RSS � Home Blog Search the event log with the Get-WinEvent PowerShell cmdlet. 4sysops - The online community for SysAdmins and DevOps To display only events with messages containing a specific word, you� To trace logon/off history of a user accout, please also check this script, which can also query the remote computer to get the user's logon/off history: function get-logonhistory{ Param ([string]$Computer = (Read-Host Remote computer name), [int]$Days = 10) cls $Result = @ () Write-Host "Gathering Event Logs, this can take awhile"

For optimal speed you should filter via Xpath like this:

Get-WinEvent -ProviderName 'Microsoft-Windows-Security-Auditing' -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='LogonType']='2']]" | select -First 1

Search the event log with the Get-WinEvent PowerShell cmdlet , But it is not the only way you can use logged events. In this article, I will show you how to use PowerShell and Get-EventLog to perform some� Im not sure what information you want to retrieve but im pretty sure there is a better way then using Get-WinEvent to obtain that information. However, if you just want to get the value of Source Workstation you can do that with a regex:

FYI in case anyone else ever attempts to do this same thing, it was looking for extra spaces after "Logon Type:" It wanted it to look like it does in the log iteself, "Logon Type: 2" I am not sure how to get around this in powershell, but putting it that way did the trick for me.

How to check Event logs with PowerShell, Hi all, I am trying to write a command to get any of the Logon Success Events form None of the Accounts should be Active Directory, so only ones logged in It looks like you need to parse the Message property of each event to get the or even Exchange Online, would probably know the pain of getting it working at all. Get-WinEvent is a newer version of Get-EventLog. The cmdlets work in a similar manner, and Get-EventLog does the trick in most cases. According to a Microsoft documentation, the main difference is that Get-WinEvent works with “the Windows Event Log technology introduced in Windows Vista.”

I worked on several approaches to this problem. I thought they might be useful since identifying logon types is important. -RMF

Get-WinEvent -max 1000 | where { $_.Message | findstr /C:"Logon Type"} | Select Message | fl * | findstr /C:"Logon Type"

Logon Type: 5 Logon Type: 7 ...

Get-WinEvent Security -max 1000| Select ID,Level,Message | where { $_.Message | findstr /C:"Logon Type"} | ft -auto -wrap | more

Id Level Message


4624 0 An account was successfully logged on.

       Subject:
           Security ID:        (deleted)
           Account Name:        (deleted)
           Account Domain:        (deleted)
           Logon ID:        0x3e7

       Logon Type:            5

....

Get-WinEvent -max 10 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | ft -auto -wrap | more

TimeCreated MachineName Message ----------- ----------- ------- 6/29/2011 12:36:35 PM (deleted) An account was successfully logged on.

                              Subject:
                                  Security ID:        (deleted)
                                  Account Name:        (deleted)
                                  Account Domain:        (deleted)
                                  Logon ID:        0x3e7

                              Logon Type:            5

...

Get-WinEvent -max 10 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | Select-string "Logon Type" | more

@{TimeCreated=06/29/2011 12:36:35; MachineName=(deleted); Message=An account was successfully logged on.

Subject:
                                  Security ID:        (deleted)
                                  Account Name:        (deleted)
                                  Account Domain:        (deleted)
                                  Logon ID:        0x3e7

                              Logon Type:            5

...

This last approach digs select information out of the Message per logon event, adds the TimeCreated field and gives something like a database format for all logon attempts (Id=4624) in the security log. The results are appended to a csv.

$LogonTypes=Get-WinEvent -FilterHashtable @{Logname='security';Id=4624}

foreach ($item in $ $LogonTypes) {($item | Select TimeCreated, Message | fl * | findstr /G:search.lst) -replace" ","" -join "," | out-file -append test3.csv }

where (columnar) search.lst :

TimeCreated Security ID: Account Name: Account Domain: Logon ID: Logon Type: Logon GUID: Process Name:

Command to get any Logon Success Events from Event Log and , To display only events matching a specific ID, you need to provide another key/value pair with ID as the key and the specified ID as the value. In the next example, the command displays all events with ID 1020 from the System log: Get-WinEvent -FilterHashTable @ {LogName='System';ID='1020'} 1

Interactive logon: Message title for users attempting to log on specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons — for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.

Logon Title Description; 0: System: Used only by the System account, for example at system startup. 2: Interactive: A user logged on to this computer. 3: Network: A user or computer logged on to this computer from the network. 4: Batch: Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their

PowerShell's Get-WinEvent is the successor to the Get-Eventlog cmdlet. Remember that to test this cmdlet you need both PowerShell v 2.0 and Vista or later operating system. Try the -LevelDisplayName and -ListLog parameters.

Comments
  • Thanks! This is orders of magnitude faster than the solution using where
  • It did not come through above, it appears to be four tabs between "Logon Type:" and the 2.
  • you should claim the answer checkbox, even though it was a little lame ;)