|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
09-25-2009
| #1 (permalink) |
| | Capturing interactive logons from Security Event Log I'm trying to capture interactive logons from the Security Event log, but I'm having trouble structuring the WMI query. These two lines will give me the logon events... Set oWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2") Set cLogonEvents = oWMIService.ExecQuery("Select * from Win32_NTLogEvent Where EventCode = '528'") But I get ALL logon events. I'm only interested in capturing Interactive Logons - LogonType = 2. So, how can I structrue my query to capture only those? Or, how can I interrogate all my logon events captured by my current query to extract only the LogonType = 2 events? Thanks, Tom |
My System Specs |
|
09-25-2009
| #2 (permalink) |
| | Re: Capturing interactive logons from Security Event Log "T Ker" <thomasDOTkerA@newsgroup> wrote in message news:enPPFQfPKHA.1268@newsgroup Quote: > I'm trying to capture interactive logons from the Security Event log, but > I'm having trouble structuring the WMI query. These two lines will give > me the logon events... > > Set oWMIService = > GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2") > Set cLogonEvents = oWMIService.ExecQuery("Select * from Win32_NTLogEvent > Where EventCode = '528'") > > But I get ALL logon events. I'm only interested in capturing Interactive > Logons - LogonType = 2. > > So, how can I structrue my query to capture only those? Or, how can I > interrogate all my logon events captured by my current query to extract > only the LogonType = 2 events? > > Thanks, > > Tom specify (615 in this case). I note that you want Type 2 events but you specify Type 528. Set oWMIService = GetObject("winmgmts:{impersonationLevel=impersonate, " _ & "(Security)}!\\.\root\cimv2") Set cLogonEvents = oWMIService.ExecQuery("Select * from Win32_NTLogEvent " _ & "Where EventCode = '615'") For Each oEvent In cLogonEvents WScript.Echo oEvent.EventCode Next |
| My System Specs |
|
09-25-2009
| #3 (permalink) |
| | Re: Capturing interactive logons from Security Event Log Tom wrote: Quote: > I'm trying to capture interactive logons from the Security Event log, but > I'm having trouble structuring the WMI query. These two lines will give > me the logon events... > > Set oWMIService = > GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2") > Set cLogonEvents = oWMIService.ExecQuery("Select * from Win32_NTLogEvent > Where EventCode = '528'") > > But I get ALL logon events. I'm only interested in capturing Interactive > Logons - LogonType = 2. > > So, how can I structrue my query to capture only those? Or, how can I > interrogate all my logon events captured by my current query to extract > only the LogonType = 2 events? > Message property for "Logon Event:" followed by vbTab and "2". This worked for me: ============= Option Explicit Dim strComputer, objWMIService, colEvents, objEvent Dim strMessage strComputer = "MyComputer" Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,authenticationLevel=Pkt}!\\" _ & strComputer & "\root\cimv2") Set colEvents = objWMIService.ExecQuery _ ("SELECT * FROM Win32_NTLogEvent " _ & "WHERE LogFile = 'Security' AND EventCode = '528'") For Each objEvent In colEvents strMessage = objEvent.Message If (InStr(strMessage, "Logon Type:" & vbTab & "2") > 0) Then Wscript.Echo "Category: " & objEvent.Category Wscript.Echo "Message: " & strMessage Wscript.Echo "Computer: " & objEvent.ComputerName Wscript.Echo "User: " & objEvent.User Wscript.Echo "Time Written: " & objEvent.TimeWritten Wscript.Echo "Event Type: " & objEvent.Type End If Next -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- |
| My System Specs |
|
09-25-2009
| #4 (permalink) |
| | Re: Capturing interactive logons from Security Event Log Sorry, I meant say parse the Message property for the string "Logon Type:" followed by vbTab followed by "2". I incorrectly said to parse for "Logon Event:" in my post, but the code I posted was correct and worked for me. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- |
| My System Specs |
|
09-28-2009
| #5 (permalink) |
| | Re: Capturing interactive logons from Security Event Log That's OK, Richard. I didn't read your description as closely as I read your code!  Works for me too! Thanks, "Richard Mueller [MVP]" wrote: Quote: > Sorry, I meant say parse the Message property for the string "Logon Type:" > followed by vbTab followed by "2". I incorrectly said to parse for "Logon > Event:" in my post, but the code I posted was correct and worked for me. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > > |
| My System Specs |
|
09-28-2009
| #6 (permalink) |
| | Re: Capturing interactive logons from Security Event Log While I have your attention, let me sneak a couple more questions about reading the event logs in... Our security logs are large and processing that query is time consuming. How can I speed it up? Is the log read from the beginning (lowest Event.RecordNumber) or end (most recent Event.RecordNumber)? Is it read sequentially by Event.RecordNumber or something else (Event.TimeWritten)? I'm big on self-help if you have a link for me to some helpful documentation. Thanks, Tom "Richard Mueller [MVP]" wrote: Quote: > Sorry, I meant say parse the Message property for the string "Logon Type:" > followed by vbTab followed by "2". I incorrectly said to parse for "Logon > Event:" in my post, but the code I posted was correct and worked for me. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > > |
| My System Specs |
|
09-28-2009
| #7 (permalink) |
| | Re: Capturing interactive logons from Security Event Log Querying the event logs can take a long time because they are huge. I assume WMI reads them from beginning to end. The more specific the query, the faster it runs. The query I posted is faster because I specified the Security log and the EventCode, but slower because I was not able to specify a value for "Logon Type". The query would be faster if there were a property we could use for "Logon Type". See this link, with the dicussion of relative query times: http://www.microsoft.com/technet/scr..._log_udqz.mspx I think speed depends on the size of the recordset retrieved. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- "Tom K" <TomK@newsgroup> wrote in message news:BF483BA9-852F-4464-8508-72F38CCDECC4@newsgroup Quote: > While I have your attention, let me sneak a couple more questions about > reading the event logs in... > > Our security logs are large and processing that query is time consuming. > How can I speed it up? Is the log read from the beginning (lowest > Event.RecordNumber) or end (most recent Event.RecordNumber)? Is it read > sequentially by Event.RecordNumber or something else (Event.TimeWritten)? > > I'm big on self-help if you have a link for me to some helpful > documentation. > > Thanks, > > Tom > > "Richard Mueller [MVP]" wrote: > Quote: >> Sorry, I meant say parse the Message property for the string "Logon >> Type:" >> followed by vbTab followed by "2". I incorrectly said to parse for "Logon >> Event:" in my post, but the code I posted was correct and worked for me. >> >> -- >> Richard Mueller >> MVP Directory Services >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> >> |
| My System Specs |
|
09-28-2009
| #8 (permalink) |
| | Re: Capturing interactive logons from Security Event Log Hi, Tom Have you considered using Microsoft's free log parser? http://www.microsoft.com/downloads/d...displaylang=en -Paul Randall "Tom K" <TomK@newsgroup> wrote in message news:BF483BA9-852F-4464-8508-72F38CCDECC4@newsgroup Quote: > While I have your attention, let me sneak a couple more questions about > reading the event logs in... > > Our security logs are large and processing that query is time consuming. > How can I speed it up? Is the log read from the beginning (lowest > Event.RecordNumber) or end (most recent Event.RecordNumber)? Is it read > sequentially by Event.RecordNumber or something else (Event.TimeWritten)? > > I'm big on self-help if you have a link for me to some helpful > documentation. > > Thanks, > > Tom > > "Richard Mueller [MVP]" wrote: > Quote: >> Sorry, I meant say parse the Message property for the string "Logon >> Type:" >> followed by vbTab followed by "2". I incorrectly said to parse for "Logon >> Event:" in my post, but the code I posted was correct and worked for me. >> >> -- >> Richard Mueller >> MVP Directory Services >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> >> |
| My System Specs |
|
10-02-2009
| #9 (permalink) |
| | Re: Capturing interactive logons from Security Event Log Excellent reading. Thanks for the link. My first pass will be time consuming, but, thanks to a tip gleaned from those pages, I'll be able to make subsequent queries take much less time. Tom "Richard Mueller [MVP]" <rlmueller-nospam@newsgroup> wrote in message news:ehvNFqIQKHA.4568@newsgroup Quote: > Querying the event logs can take a long time because they are huge. I > assume WMI reads them from beginning to end. The more specific the query, > the faster it runs. The query I posted is faster because I specified the > Security log and the EventCode, but slower because I was not able to > specify a value for "Logon Type". The query would be faster if there were > a property we could use for "Logon Type". See this link, with the > dicussion of relative query times: > > http://www.microsoft.com/technet/scr..._log_udqz.mspx > > I think speed depends on the size of the recordset retrieved. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > "Tom K" <TomK@newsgroup> wrote in message > news:BF483BA9-852F-4464-8508-72F38CCDECC4@newsgroup Quote: >> While I have your attention, let me sneak a couple more questions about >> reading the event logs in... >> >> Our security logs are large and processing that query is time consuming. >> How can I speed it up? Is the log read from the beginning (lowest >> Event.RecordNumber) or end (most recent Event.RecordNumber)? Is it read >> sequentially by Event.RecordNumber or something else (Event.TimeWritten)? >> >> I'm big on self-help if you have a link for me to some helpful >> documentation. >> >> Thanks, >> >> Tom >> >> "Richard Mueller [MVP]" wrote: >> Quote: >>> Sorry, I meant say parse the Message property for the string "Logon >>> Type:" >>> followed by vbTab followed by "2". I incorrectly said to parse for >>> "Logon >>> Event:" in my post, but the code I posted was correct and worked for me. >>> >>> -- >>> Richard Mueller >>> MVP Directory Services >>> Hilltop Lab - http://www.rlmueller.net >>> -- >>> >>> >>> > |
| My System Specs |
|
10-02-2009
| #10 (permalink) |
| | Re: Capturing interactive logons from Security Event Log Thanks, Paul. That tool works much quicker - less than 7 seconds compared to minutes. The only problem that I'm having now is not related to my original question. When one of my cohorts found out what I was doing he asked me to grab a couple other event IDs (636 and 637). As with the 528 events, those events require me to get the Event.Message field and evaluate its contents. The problem is that LogParser doesn't resolve the SID in the Event.Message field to an actual user ID. What's odd is I can build one query that pulls all those events into a CSV file and see that the SIDs in the 528 events resolve correctly, but the SIDs in the 636 and 637 events don't. I am using the "-resolveSIDs:ON" switch. What's up with that? So if I tell him to figure that out for himself my project is done! Of course I'm not going to do that, so... Tom "Paul Randall" <paulr901@newsgroup> wrote in message news:OvrwQlLQKHA.3540@newsgroup Quote: > Hi, Tom > Have you considered using Microsoft's free log parser? > http://www.microsoft.com/downloads/d...displaylang=en > > -Paul Randall > > "Tom K" <TomK@newsgroup> wrote in message > news:BF483BA9-852F-4464-8508-72F38CCDECC4@newsgroup Quote: >> While I have your attention, let me sneak a couple more questions about >> reading the event logs in... >> >> Our security logs are large and processing that query is time consuming. >> How can I speed it up? Is the log read from the beginning (lowest >> Event.RecordNumber) or end (most recent Event.RecordNumber)? Is it read >> sequentially by Event.RecordNumber or something else (Event.TimeWritten)? >> >> I'm big on self-help if you have a link for me to some helpful >> documentation. >> >> Thanks, >> >> Tom >> >> "Richard Mueller [MVP]" wrote: >> Quote: >>> Sorry, I meant say parse the Message property for the string "Logon >>> Type:" >>> followed by vbTab followed by "2". I incorrectly said to parse for >>> "Logon >>> Event:" in my post, but the code I posted was correct and worked for me. >>> >>> -- >>> Richard Mueller >>> MVP Directory Services >>> Hilltop Lab - http://www.rlmueller.net >>> -- >>> >>> >>> > |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| " Interactive logon process initialization has failed. Please consult the event log for more details. " | Vista performance & maintenance | |||
| how to i export eventviewer security logs, event id = xx | PowerShell | |||
| double logons | Vista General | |||
| Windows Vista security event ids | Vista security | |||
| !!VISTA RC2!! Audio capturing while Video capturing | Vista music pictures video | |||
