|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
07-15-2008
| #1 (permalink) |
| | Pulling security log data I'm trying to put together a script that will poll a set of domain computers and pull login and unlock data from the security logs. After a a good deal of searching, I've got the basic syntax worked out, but what I managed to put together seems to take forever (if it's actually progressing at all) to pull or filter the data from one machine. Below is what I've cobbled together to gather the data from one machine, but it's about time to consult a more authoritative source than Google for piecing this together. Thanks to any who can offer advice on how to do this right: --- $strComputer = "." #Establish date search range. One day for initial testing, will eventually revise it to #go back to the last search on a machine by machine basis $d=Get-Date $startday=[System.Management.ManagementDateTimeConverter]::ToDMTFDateTime($d.AddDays(-1)) $today=[System.Management.ManagementDateTimeConverter]::ToDMTFDateTime($d) #Pull the security log #$colItems = get-wmiobject -class Win32_NTLogEvent -namespace "root\cimv2" -computername $strComputer ` # –query "select EventCode,TimeWritten,User,Message from Security and (EventCode = 528 or EventCode = 538) ` # and TimeWritten >= $yesterday and TimeWritten < $today and (Message LIKE $Unlock or Message LIKE $Login) " ` # | sort "TimeWritten" $co = new-object Management.ConnectionOptions $co.enableprivileges = $true $ms = new-object Management.ManagementScope("\\$strComputer\root\cimv2", $co) $ms.connect() $q = new-object Management.ObjectQuery("select TimeWritten,EventCode,Message,User from win32_ntlogevent where logfile='Security' ") $mos = new-object Management.ManagementObjectSearcher($ms, $q) $secLog = $mos.get() $secLogRecent = $secLog | where-object {$_.TimeWritten -ge $startday -and $_.TimeWritten -lt $today} $colItems = $secLogRecent | where-object { $_.message -like "*Logon Type:'t2*" -or $_.message -like "*Logon Type:'t7*" } | sort "TimeWritten" |
My System Specs |
|
07-16-2008
| #2 (permalink) |
| | Re: Pulling security log data Why not use LogParser for this? It's a lot easy http://www.microsoft.com/downloads/d...displaylang=en "Karl Greenley" wrote in message news:2008715153330kgreenley@xxxxxx Quote: > I'm trying to put together a script that will poll a set of domain > computers and pull login and unlock data from the security logs. After a a > good deal of searching, I've got the basic syntax worked out, but what I > managed to put together seems to take forever (if it's actually > progressing at all) to pull or filter the data from one machine. > > Below is what I've cobbled together to gather the data from one machine, > but it's about time to consult a more authoritative source than Google for > piecing this together. > > Thanks to any who can offer advice on how to do this right: > --- > > $strComputer = "." > > #Establish date search range. One day for initial testing, will eventually > revise it to > #go back to the last search on a machine by machine basis > $d=Get-Date > $startday=[System.Management.ManagementDateTimeConverter]::ToDMTFDateTime($d.AddDays(-1)) > $today=[System.Management.ManagementDateTimeConverter]::ToDMTFDateTime($d) > > > #Pull the security log > #$colItems = get-wmiobject -class Win32_NTLogEvent -namespace > "root\cimv2" -computername $strComputer ` > # -query "select EventCode,TimeWritten,User,Message from Security and > (EventCode = 528 or EventCode = 538) ` > # and TimeWritten >= $yesterday and TimeWritten < $today and (Message > LIKE $Unlock or Message LIKE $Login) " ` > # | sort "TimeWritten" > > > $co = new-object Management.ConnectionOptions > $co.enableprivileges = $true > $ms = new-object Management.ManagementScope("\\$strComputer\root\cimv2", > $co) > $ms.connect() > $q = new-object Management.ObjectQuery("select > TimeWritten,EventCode,Message,User from win32_ntlogevent where > logfile='Security' ") > $mos = new-object Management.ManagementObjectSearcher($ms, $q) > $secLog = $mos.get() > $secLogRecent = $secLog | where-object {$_.TimeWritten -ge $startday -and > $_.TimeWritten -lt $today} > $colItems = $secLogRecent | where-object { $_.message -like "*Logon > Type:'t2*" -or $_.message -like "*Logon Type:'t7*" } | sort "TimeWritten" > |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| Application Data Security in ProgramData folder | Vista security | |||
| Pulling in scripts from the web | PowerShell | |||
| Something that has me pulling my hair out! | Vista security | |||
| Data Security on DVR's and CD's | Vista General | |||
