Filtering Security Logs by User and Logon Type

windows-server-2008 eventviewer security windows-event-log
98,533

Solution 1

You're on the right track - one of the mistakes in your query is the space in 'Logon Type', it should just be 'LogonType'.

I pasted a query below that I have just verified works. It's a bit simplified but you get the idea. It shows you all 4624 events with logon type 2, from user 'john.doe'.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[
        EventData[Data[@Name='LogonType']='2']
        and
        EventData[Data[@Name='TargetUserName']='john.doe']
        and
        System[(EventID='4624')]
      ] 
    </Select>
  </Query>
</QueryList>

You can find out more about XML queries in the event viewer here: http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx.

You can query events from the command line with wevtutil.exe: http://technet.microsoft.com/en-us/magazine/dd310329.aspx.

Solution 2

I found this question and had to do a bit of work to parse together content, from the accepted answer and question updates, to get a functional solution. I figured I'd post a complete, working query syntax here for future reference:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4624)
    and
    TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]
    and
    EventData[Data[@Name='TargetUserName'] and (Data='john.doe')]
    and
    EventData[Data[@Name='LogonType'] and (Data='10')]]
    </Select>
  </Query>
</QueryList>

The above query should work to narrow down the events according to the following parameters:

  • Events in the Security log.
  • With Event ID 6424
  • Occurring within the past 30 days.
  • Associated with user john.doe.
  • With LogonType 10.

You can change the LogonTypes in the filter by altering (Data='10') in the above code. For example, you might want to do (Data='2') or (Data='10' or Data='2').

Share:
98,533

Related videos on Youtube

Trido
Author by

Trido

Updated on September 18, 2022

Comments

  • Trido
    Trido over 1 year

    I have been asked to find out when a user has logged on to the system in the last week. Now the audit logs in Windows should contain all the info I need. I think if I search for Event ID 4624 (Logon Success) with a specific AD user and Logon Type 2 (Interactive Logon) that it should give me the information I need, but for the life of my I cannot figure out how to actually filter the Event Log to get this information. Is it possible inside of the Event Viewer or do you need to use an external tool to parse it to this level?

    I found http://nerdsknowbest.blogspot.com.au/2013/03/filter-security-event-logs-by-user-in.html which seemed to be part of what I needed. I modified it slightly to only give me the last 7 days worth. Below is the XML I tried.

    <QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624) and TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]</Select>
    <Select Path="Security">*[EventData[Data[@Name='Logon Type']='2']]</Select>
    <Select Path="Security">*[EventData[Data[@Name='subjectUsername']='Domain\Username']]</Select>
  </Query>
</QueryList>

    It only gave me the last 7 days, but the rest of it did not work.

    Can anyone assist me with this?

    EDIT

    Thanks to the suggestions of Lucky Luke I have been making progress. The below is my current query, although as I will explain it isn't returning any results.

    <QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
     *[System[(EventID='4624')]
     and
     System[TimeCreated[timediff(@SystemTime) &lt;= 604800000]]
     and
     EventData[Data[@Name='TargetUserName']='john.doe']
     and
     EventData[Data[@Name='LogonType']='2']
     ] 
    </Select>
  </Query>
</QueryList>

    As I mentioned, it wasn't returning any results so I have been messing with it a bit. I can get it to produce the results correctly until I add in the LogonType line. After that, it returns no results. Any idea why this might be?

    EDIT 2

    I updated the LogonType line to the following:

    EventData[Data[@Name='LogonType'] and (Data='2' or Data='7')]

    This should capture Workstation Logons as well as Workstation Unlocks, but I still get nothing. I then modify it to search for other Logon Types like 3, or 8 which it finds plenty of. This leads me to believe that the query works correctly, but for some reason there are no entries in the Event Logs with Logon Type equalling 2 and this makes no sense to me. Is it possible to turn this off?

    • Lucky Luke
      Lucky Luke over 10 years
      It looks like your query is working if you are getting results with other logon types. It's possible that you need to look at other logon types, in particular logon type 11 which is often used instead of logon type 2 on Vista and later. You can see all the logon types here: myeventlog.com/search/show/799. I bet your logons are of type 11. Let me know.
    • Trido
      Trido over 10 years
      Interestingly, the only non 3 result I get is 8 which I have identified. For some reason there is no 2, 7 or 11 which I would expect to see.
    • Lucky Luke
      Lucky Luke over 10 years
      Have you verified your audit settings in the local security policy (or domain policy if it's part of a domain) to ensure that all logons are being audited? Let me know if you need more info.
    • Lucky Luke
      Lucky Luke over 10 years
      Interesting. Which exact setting did you end up turning on? What's a bit strange is that you were seeing other logon events, yet not the console logons. I was under the impression that they are all configured with the same setting.
  • Trido
    Trido over 10 years
    Hmm, this is odd. When I ran it, I get 0 results returned. Even when I simplify the query to just the Logon Type. I don't really understand why it isn't working.
  • Trido
    Trido over 10 years
    I updated my question with my current query and issue.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Account lockouts not in Event Viewer
Unknown and strange RDP successful logins in EventViewer
System Account Logon Failures every 30 seconds
Event 36888: The following fatal alert was generated: 10. The internal error state is 1203
Lots of FAILURE AUDIT: an account failed to log on entires in Security Log
Is there any way to undo after clearing a log on Windows 2008 server?
IIS7 give ApplicationPoolIdentity access to a network location
Win Server Security: Why do members of a group not get access when the Group has permission?
windows event log forwarding permission
Default Domain Policy Overriding Custom GPO even though Custom GPO is Enforced