Filtering Security Logs by User and Logon Type
Solution 1
You're on the right track - one of the mistakes in your query is the space in 'Logon Type', it should just be 'LogonType'.
I pasted a query below that I have just verified works. It's a bit simplified but you get the idea. It shows you all 4624 events with logon type 2, from user 'john.doe'.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[
EventData[Data[@Name='LogonType']='2']
and
EventData[Data[@Name='TargetUserName']='john.doe']
and
System[(EventID='4624')]
]
</Select>
</Query>
</QueryList>
You can find out more about XML queries in the event viewer here: http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx.
You can query events from the command line with wevtutil.exe: http://technet.microsoft.com/en-us/magazine/dd310329.aspx.
Solution 2
I found this question and had to do a bit of work to parse together content, from the accepted answer and question updates, to get a functional solution. I figured I'd post a complete, working query syntax here for future reference:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624)
and
TimeCreated[timediff(@SystemTime) <= 2592000000]]
and
EventData[Data[@Name='TargetUserName'] and (Data='john.doe')]
and
EventData[Data[@Name='LogonType'] and (Data='10')]]
</Select>
</Query>
</QueryList>
The above query should work to narrow down the events according to the following parameters:
- Events in the Security log.
- With Event ID 6424
- Occurring within the past 30 days.
- Associated with user john.doe.
- With LogonType 10.
You can change the LogonTypes in the filter by altering (Data='10')
in the above code. For example, you might want to do (Data='2')
or (Data='10' or Data='2')
.
Related videos on Youtube
Trido
Updated on September 18, 2022Comments
-
Trido over 1 year
I have been asked to find out when a user has logged on to the system in the last week. Now the audit logs in Windows should contain all the info I need. I think if I search for Event ID 4624 (Logon Success) with a specific AD user and Logon Type 2 (Interactive Logon) that it should give me the information I need, but for the life of my I cannot figure out how to actually filter the Event Log to get this information. Is it possible inside of the Event Viewer or do you need to use an external tool to parse it to this level?
I found http://nerdsknowbest.blogspot.com.au/2013/03/filter-security-event-logs-by-user-in.html which seemed to be part of what I needed. I modified it slightly to only give me the last 7 days worth. Below is the XML I tried.
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624) and TimeCreated[timediff(@SystemTime) <= 604800000]]]</Select> <Select Path="Security">*[EventData[Data[@Name='Logon Type']='2']]</Select> <Select Path="Security">*[EventData[Data[@Name='subjectUsername']='Domain\Username']]</Select> </Query> </QueryList>
It only gave me the last 7 days, but the rest of it did not work.
Can anyone assist me with this?
EDIT
Thanks to the suggestions of Lucky Luke I have been making progress. The below is my current query, although as I will explain it isn't returning any results.
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[System[(EventID='4624')] and System[TimeCreated[timediff(@SystemTime) <= 604800000]] and EventData[Data[@Name='TargetUserName']='john.doe'] and EventData[Data[@Name='LogonType']='2'] ] </Select> </Query> </QueryList>
As I mentioned, it wasn't returning any results so I have been messing with it a bit. I can get it to produce the results correctly until I add in the LogonType line. After that, it returns no results. Any idea why this might be?
EDIT 2
I updated the LogonType line to the following:
EventData[Data[@Name='LogonType'] and (Data='2' or Data='7')]
This should capture Workstation Logons as well as Workstation Unlocks, but I still get nothing. I then modify it to search for other Logon Types like 3, or 8 which it finds plenty of. This leads me to believe that the query works correctly, but for some reason there are no entries in the Event Logs with Logon Type equalling 2 and this makes no sense to me. Is it possible to turn this off?
-
Lucky Luke over 10 yearsIt looks like your query is working if you are getting results with other logon types. It's possible that you need to look at other logon types, in particular logon type 11 which is often used instead of logon type 2 on Vista and later. You can see all the logon types here: myeventlog.com/search/show/799. I bet your logons are of type 11. Let me know.
-
Trido over 10 yearsInterestingly, the only non 3 result I get is 8 which I have identified. For some reason there is no 2, 7 or 11 which I would expect to see.
-
Lucky Luke over 10 yearsHave you verified your audit settings in the local security policy (or domain policy if it's part of a domain) to ensure that all logons are being audited? Let me know if you need more info.
-
Lucky Luke over 10 yearsInteresting. Which exact setting did you end up turning on? What's a bit strange is that you were seeing other logon events, yet not the console logons. I was under the impression that they are all configured with the same setting.
-
-
Trido over 10 yearsHmm, this is odd. When I ran it, I get 0 results returned. Even when I simplify the query to just the Logon Type. I don't really understand why it isn't working.
-
Trido over 10 yearsI updated my question with my current query and issue.