Filtering Security Event Logs with Powershell

If you’ve ever had to dig through Windows security event log for a specific event, you know it’s a bit of a pain.  Fortunately, you can speed up your search with Powershell’s get-eventlog cmdlet.

Let’s look at filtering the security logs to see who has logged on to a computer. The Event ID for a Logon event is 4624.

logon1.png

However, there are 8 types of logons.  They are explained here.

When I’m investigating as to whether a normal user has accessed, I’m generally looking for:

  • Type 2: Interactive
  • Type 10: Remote Interactive
  • Type 11: Cached Interactive

Simple filtering within eventmgr.msc doesn’t offer the granularity for you to filter through types of logins.  The get-eventlog cmdlet is really a better fit for such a task.

Remembering to run as administrator…

get-eventlog security -after 1/11/2017 | where{$_.InstanceID -eq 4624} | where {($_.ReplacementStrings[8] -eq 2) -or ($_.ReplacementStrings[8] -eq 10) -or ($_.ReplacementStrings[8] -eq 11)} | select TimeGenerated, {$_.ReplacementStrings[5]}, {$_.ReplacementStrings[8]}

Now, we didn’t simply ask for the User and Logon Type found in the description- we had to reference $_.ReplacementStrings.

$_.ReplacementStrings is an array with the various values of the event that you see in the event viewer message body.

$_.ReplacementStrings[8] pulls the logon value of the array. In the shot below, you can see this is Type 2: Interactive.

logon2.png

It’s definitely more efficient than poking through event viewer- it’s a win for Powershell.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s