Filtering Security Logs by User and Logon Type. I have been asked to find out when a user has logged on to the system in the last week. Now the audit logs in Windows should contain all the info I need. I think if I search for Event ID 4. Logon Success) with a specific AD user and Logon Type 2 (Interactive Logon) that it should give me the information I need, but for the life of my I cannot figure out how to actually filter the Event Log to get this information. Is it possible inside of the Event Viewer or do you need to use an external tool to parse it to this level? I found http: //nerdsknowbest. I needed. I modified it slightly to only give me the last 7 days worth. Below is the XML I tried.< Query. List>. < Query Id="0" Path="Security">. Select Path="Security"> *[System[(Event. ID=4. 62. 4) and Time. Created[timediff(@System. Time) & lt; = 6. Select>. < Select Path="Security"> *[Event. Data[Data[@Name='Logon Type']='2']]< /Select>. Select Path="Security"> *[Event. Data[Data[@Name='subject. Username']='Domain\Username']]< /Select>. Query>. < /Query. List>. It only gave me the last 7 days, but the rest of it did not work. Harden Windows 10 - A Security Guide gives detailed instructions on how to secure Windows 10 machines and prevent it from being compromised. We will harden the system. I have been asked to find out when a user has logged on to the system in the last week. Now the audit logs in Windows should contain all the info I need. I think if I. This is a step-by-step guide on how to enable active directory logon, logoff and failure events with clear steps.Can anyone assist me with this? EDITThanks to the suggestions of Lucky Luke I have been making progress. The below is my current query, although as I will explain it isn't returning any results.< Query. List>. < Query Id="0" Path="Security">. Describes security event 4740(S) A user account was locked out. Select Path="Security">. System[(Event. ID='4. System[Time. Created[timediff(@System. Time) & lt; = 6. Event. Data[Data[@Name='Target. User. Name']='john. Event. Data[Data[@Name='Logon. Type']='2']. < /Select>. Query>. < /Query. List>. As I mentioned, it wasn't returning any results so I have been messing with it a bit. I can get it to produce the results correctly until I add in the Logon. Type line. After that, it returns no results. Any idea why this might be? EDIT 2. I updated the Logon. Type line to the following: Event. Data[Data[@Name='Logon. Type'] and (Data='2' or Data='7')]. This should capture Workstation Logons as well as Workstation Unlocks, but I still get nothing. I then modify it to search for other Logon Types like 3, or 8 which it finds plenty of. This leads me to believe that the query works correctly, but for some reason there are no entries in the Event Logs with Logon Type equalling 2 and this makes no sense to me. Is it possible to turn this off?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
September 2018
Categories |