Get-WinEvent Obtain Interactive Logon Messages Only

2
votes

I am attempting to get this PS script going to pull the Security log from multiple machines and only search for the Event ID of 4624 and only show me the logs that contain "Logon Type: 2" or interactive logon. I have everything else working except for the part of obtaining only those logs for interactive logon's only. Here is a snip of my script, if anyone has any idea how to get this going it would be greatly appreciated. If I take the 2 out of "Logon Type" it works and I get everything, but if I have anything after that it does not kick any errors, but it doesn't yield results either. Yes, I have verified that I have interactive logon events during my filtered timeframe. Thanks.

$server; Get-WinEvent -computername $server -FilterHashTable @{Logname=$logname;ID=$eventid;StartTime=$starttime;EndTime=$endtime} | where { $_.Message | Select-String "Logon Type: 2" }

Tim

5
powershellpowershell-2.0

5 Answers

2
votes

EventRecord.properties have logon type in the list. To filter out successful logon events of interactive logon type for today:

Get-winevent -FilterHashtable @{logname='security'; id=4624; starttime=(get-date).date} | where {$_.properties[8].value -eq 2}
2
votes

The solution to the problem of how to match the white space between the semicolon and the number 2 in the first code example at the top of this article is to use a PowerShell regular expression pattern written like this \s+.

The pattern characters are case sensitive and typically used with the "-match" operator, but can be effectively employed with the Select-String commandlet as written in the poster’s original query. The modified code would look like this:

Get-WinEvent -FilterHashTable @{LogName="Security";ID=4624} | where { $_.Message | Select-String "Logon Type:\s+2"}

Additionally, if the PowerShell script needs to query older operating systems that still use classical event logs, the Get-EventLog commandlet can be likewise employed with the same pattern as shown here:

Get-EventLog -LogName Security -InstanceID 4624 | Where {$_.Message -match "Logon Type:\s+2"}

PowerShell regular expression references:

https://technet.microsoft.com/en-us/magazine/2007.11.powershell.aspx https://www.petri.com/powershell-string-parsing-with-regular-expressions

Note: the regex pattern referenced in this answer is described by Microsoft as a “character class”.

Clark Froebe

2
votes

For optimal speed you should filter via Xpath like this:

Get-WinEvent -ProviderName 'Microsoft-Windows-Security-Auditing' -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='LogonType']='2']]" | select -First 1
1
votes

FYI in case anyone else ever attempts to do this same thing, it was looking for extra spaces after "Logon Type:" It wanted it to look like it does in the log iteself, "Logon Type: 2" I am not sure how to get around this in powershell, but putting it that way did the trick for me.

1
votes

I worked on several approaches to this problem. I thought they might be useful since identifying logon types is important. -RMF

Get-WinEvent -max 1000 | where { $_.Message | findstr /C:"Logon Type"} | Select Message | fl * | findstr /C:"Logon Type"

Logon Type: 5 Logon Type: 7 ...

Get-WinEvent Security -max 1000| Select ID,Level,Message | where { $_.Message | findstr /C:"Logon Type"} | ft -auto -wrap | more

Id Level Message

4624 0 An account was successfully logged on.

       Subject:
           Security ID:        (deleted)
           Account Name:        (deleted)
           Account Domain:        (deleted)
           Logon ID:        0x3e7

       Logon Type:            5

....

Get-WinEvent -max 10 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | ft -auto -wrap | more

TimeCreated MachineName Message ----------- ----------- ------- 6/29/2011 12:36:35 PM (deleted) An account was successfully logged on.

                              Subject:
                                  Security ID:        (deleted)
                                  Account Name:        (deleted)
                                  Account Domain:        (deleted)
                                  Logon ID:        0x3e7

                              Logon Type:            5

...

Get-WinEvent -max 10 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | Select-string "Logon Type" | more

@{TimeCreated=06/29/2011 12:36:35; MachineName=(deleted); Message=An account was successfully logged on.

Subject:
                                  Security ID:        (deleted)
                                  Account Name:        (deleted)
                                  Account Domain:        (deleted)
                                  Logon ID:        0x3e7

                              Logon Type:            5

...

This last approach digs select information out of the Message per logon event, adds the TimeCreated field and gives something like a database format for all logon attempts (Id=4624) in the security log. The results are appended to a csv.

$LogonTypes=Get-WinEvent -FilterHashtable @{Logname='security';Id=4624}

foreach ($item in $ $LogonTypes) {($item | Select TimeCreated, Message | fl * | findstr /G:search.lst) -replace" ","" -join "," | out-file -append test3.csv }

where (columnar) search.lst :

TimeCreated Security ID: Account Name: Account Domain: Logon ID: Logon Type: Logon GUID: Process Name: