Hi folks,
I think I'm asking something similar to a few other posts, but instead of hijacking their threads, I thought I'd start my own.
As the subject suggests, I'm trying to extract from a 2008R2 server's Event logs a table of users and their respective login / out events. Not just asking AD for their last login times, but a list of login / out events.
So far, I'm using:
Get-EventLog -logname security -Newest 1000 | where {$_.eventID -eq 4624 -or 4634 }
but the list is long, and contains host authentication connections as well as users. I believe I need something like the ability to filter on "user is domain user", or "user is not a computer", or similar, and then pipe it to Export-CSV, but the data is not a CSV file, but more like Text. ie:
Index : 87290035
EntryType : SuccessAudit
InstanceId : 5156
Message : The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1688
Application Name: \device\harddiskvolume2\windows\system32\dns.exe
Network Information:
Direction: %%14592
Source Address: 192.168.xx.xx
Source Port: 53
Destination Address: 192.168.xx.xx
Destination Port: 44242
Protocol: 17
Filter Information:
Filter Run-Time ID: 66055
Layer Name: %%14610
Layer Run-Time ID: 44
Category : (12810)
CategoryNumber : 12810
ReplacementStrings : {1688, \device\harddiskvolume2\windows\system32\dns.exe, %%14592, 192.168.xx.xx...}
Source : Microsoft-Windows-Security-Auditing
TimeGenerated : 28/01/2011 4:46:35 PM
TimeWritten : 28/01/2011 4:46:35 PM
UserName :Why is that even coming up as a result?
Ideally, I would like a CSV file containing these columns:
User,timestamp,computer,logon/off
I've thought about adding a script to the Group Policy where it runs on local machines and appends details to a file on a network share, but I think I would prefer to run this locally, perhaps periodically as a script.
-- Ebor Administrator