Windows Server – Filtering Security Logs by User and Logon Type

eventviewerSecuritywindows-event-logwindows-server-2008

I have been asked to find out when a user has logged on to the system in the last week. Now the audit logs in Windows should contain all the info I need. I think if I search for Event ID 4624 (Logon Success) with a specific AD user and Logon Type 2 (Interactive Logon) that it should give me the information I need, but for the life of my I cannot figure out how to actually filter the Event Log to get this information. Is it possible inside of the Event Viewer or do you need to use an external tool to parse it to this level?

I found http://nerdsknowbest.blogspot.com.au/2013/03/filter-security-event-logs-by-user-in.html which seemed to be part of what I needed. I modified it slightly to only give me the last 7 days worth. Below is the XML I tried.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624) and TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]</Select>
    <Select Path="Security">*[EventData[Data[@Name='Logon Type']='2']]</Select>
    <Select Path="Security">*[EventData[Data[@Name='subjectUsername']='Domain\Username']]</Select>
  </Query>
</QueryList>

It only gave me the last 7 days, but the rest of it did not work.

Can anyone assist me with this?

EDIT

Thanks to the suggestions of Lucky Luke I have been making progress. The below is my current query, although as I will explain it isn't returning any results.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
     *[System[(EventID='4624')]
     and
     System[TimeCreated[timediff(@SystemTime) &lt;= 604800000]]
     and
     EventData[Data[@Name='TargetUserName']='john.doe']
     and
     EventData[Data[@Name='LogonType']='2']
     ] 
    </Select>
  </Query>
</QueryList>

As I mentioned, it wasn't returning any results so I have been messing with it a bit. I can get it to produce the results correctly until I add in the LogonType line. After that, it returns no results. Any idea why this might be?

EDIT 2

I updated the LogonType line to the following:

EventData[Data[@Name='LogonType'] and (Data='2' or Data='7')]

This should capture Workstation Logons as well as Workstation Unlocks, but I still get nothing. I then modify it to search for other Logon Types like 3, or 8 which it finds plenty of. This leads me to believe that the query works correctly, but for some reason there are no entries in the Event Logs with Logon Type equalling 2 and this makes no sense to me. Is it possible to turn this off?

Best Answer

You're on the right track - one of the mistakes in your query is the space in 'Logon Type', it should just be 'LogonType'.

I pasted a query below that I have just verified works. It's a bit simplified but you get the idea. It shows you all 4624 events with logon type 2, from user 'john.doe'.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[
        EventData[Data[@Name='LogonType']='2']
        and
        EventData[Data[@Name='TargetUserName']='john.doe']
        and
        System[(EventID='4624')]
      ] 
    </Select>
  </Query>
</QueryList>

You can find out more about XML queries in the event viewer here: http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx.

You can query events from the command line with wevtutil.exe: http://technet.microsoft.com/en-us/magazine/dd310329.aspx.

Related Solutions

Windows Server 2008 – Email on Event Variables

I went about this a bit differently, but this approach generates emails on new events that match a custom filter, with all the event details included in the email body.

1) Create a 'Custom View' in the Event Viewer with your desired filter.

2) Once you have the view, you should see a link to 'Attach Task to This Custom View...'.

I chose to use sendMail.exe from here (http://caspian.dotconf.net/menu/Software/SendEmail/) which I extracted to C:\sendmail. The reason is Microsoft's 'Send an email' action has issues with SMTP authentication and also apparently isn't even present in Server 2012.

So in my case I selected 'Start a program' while attaching the task to the Custom View. But we're going to edit it as XML so don't worry about filling it in via the GUI.

3) Export the new Task to XML, we'll be editing it later.

4) Create a 'mail-event.bat' file under C:\sendmail folder with the following 3 lines:

C:\Windows\system32\wevtutil.exe qe Application /f:text /q:"<QueryList><Query Id='0' Path='Application'><Select Path='Application'>*[System[(EventRecordID=%1)]]</Select></Query></QueryList>" > C:\sendmail\%1.log
C:\sendmail\sendEmail.exe -s <smtp_server> -f <from> -xu <user> -xp <pass> -t <to> -u "<subject>" -o message-file=c:\sendmail\%1.log
del C:\sendmail\%1.log

Obviously, replace 'smtp_server', 'from', 'user', 'pass', 'to', 'subject' with the desired values.

This will create a '$(EventRecordID).log' file under C:\sendmail with all the details for that event, mail it, and then delete it.

You can test if the batch file works by going into Event Viewer, opening an event in your Applications log, switching to Details tab, selecting 'XML View' and then look for EventRecordID. Copy that integer, and then run from the command line:

C:\sendmail> log-event.bat 53522

Of course, replacing 53522 with the value from the EventRecordID node. If you receive the email, go to your happy place.

NOTE WELL: You might have noticed the string 'Application' shows up a couple times in the command line for wevtutil.exe -- that's because I couldn't seem to get it to work by pointing it directly at the Custom View, and my Custom View happened to be a sub-set of events that are all inside the Application log. You might have to adjust that to make it work in your case if your trying to mail events from the System log, for example.

5) Edit the XML you exported, we're going to make two changes:

First, add the following 'ValueQueries' node into the XML under the 'EventTrigger' node:

<EventTrigger>
  <Enabled>true</Enabled>
  <Subscription>...snip...</Subscription>
  <ValueQueries>
    <Value name="EventRecordID">Event/System/EventRecordID</Value>
  </ValueQueries>  
</EventTrigger>

NOTE: In the above, I snipped the 'Subscription' info which will have been filled in based on the Custom View you created. Don't copy my 'Subscription' into your XML!

Second, replace the Actions node with the following:

<Actions Context="Author">
   <Exec>
     <Command>C:\sendmail\mail_event.bat</Command>
     <Arguments>$(EventRecordID)</Arguments>
   </Exec>
</Actions>

Now, cause a new event to appear in your Custom View, and you should automatically get the email notification! Woohoo!

Windows – troubling anonymous Logon events in Windows Security event log

The "anonymous" logon has been part of Windows domains for a long time--in short, it is the permission that allows other computers to find yours in the Network Neighborhood, find what file shares or printers you are sharing, etc.

It is also why Windows admins say never to grant share permissions to the "Everyone" group (unless you know what you are doing), because "Everyone" also includes "no one"--er, ANONYMOUS. Rest assured that unless you

Anyway, in this case you probably want to lock it down with Registy settings or better yet, Local or Group Policies. Look in your policy editor under Computer Configuration\Windows Settings\SecuritySettings\Local Policies\SecurityOptions for the following options:

Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Shares that can be accessed anonymously

Best Answer

Related Solutions

Windows Server 2008 – Email on Event Variables

Windows – troubling anonymous Logon events in Windows Security event log

Related Topic