Event Log Analyzer

[HCHTech]

I got what seemed like a simple request from the controller at one of our clients yesterday: "Can you give me a list of failed & successful logons to my computer over the last couple of weeks? I work mostly remote and I'm concerned someone in the office is walking up to my computer and using it when I'm not connected." Uneducated me: "Sure! It's all there in the event logs, I'll save copies and take a look, then get back to you."

Failed Logons produce event 4625 in the Security log
Successful logons produce event 4624 in the Security log
Easy, right?

Then I get a look at the logs. 25,000 events in the Security log. I sort them by Event ID and get the failed events first - pretty easy. Successful events, not so much. There are thousands. In the text of the event, there is the variable "Logon Type". 9 possible values in this variable, only one of which represents someone logging in at the keyboard, which is type "2". The others are service logons, connecting to shared resources, RDP logons, etc.

There is no way to sort by this detail, sadly. I try exporting the log to a CSV file, but the result still doesn't let me parse the answer I'm looking for. Some log entries are a single row, but many, many of them are multiple rows in the spreadsheet, and the "2" I'm looking for is all by itself in the middle of the several rows that represent the single log entry. No way to sort them all together.

I ended up back in event viewer manually arrowing-down through the thousands of 4624 entries looking for Logon Type 2. 45 minutes and one sore forearm later, I've got the list. I probably should have downloaded one of the paid analyzer software free trials, but I didn't.

So the NEXT time someone asks me this question, I'd like to be a bit better prepared. Does anyone have a better approach at sifting out this data?

 

[trevm999]

Powershell

 

[britechguy]

Powershell

A bit wide-ranging, dontcha think?

 

[AlexCa]

Maybe: https://www.nirsoft.net/utils/windows_log_on_times_view.html

 

[Sky-Knight]

I'll echo the Nirsoft tool, it works wonderfully for this.

 

[HCHTech]

TIL - thanks!

 

[britechguy]

I constantly forget what a range of really, really helpful - and task focused - utilities are available from Nirsoft.

 

[trevm999]

A bit wide-ranging, dontcha think?

Get-EventLog -LogName Security -InstanceID 4624 | Where Message -match 'Logon Type:\s*2' | Select -ExpandProperty Message


Happy?

 

[britechguy]

Happy?

Yes. That's an actual answer to the question posed.

 

[trevm999]

Yes. That's an actual answer to the question posed.

Both answers in this thread were tools. Like, the tool OP had already tried (Excel) it can be used with any data. I don't how it failed it answer the question, it just didn't give details on how to use it. Which, these days you could probably just ask ChatGPT.

 

[Sky-Knight]

The only problem in this situation is the fact that people do not understand just how many times they authenticate with a given system.

It's trivial to use the event viewer to read login failures, but if you try to interpret login success you're going to be in there ALL DAY because there are thousands of events over a given 24 hour period even on a single user system that see light use.

 

[britechguy]

Which, these days you could probably just ask ChatGPT.

Which many of us don't even want to deal with. Forums such as these exist so that people can interact with other people, and when they have specific questions, which was the case here, what they're looking for are specific answers.

The NirSoft utility was a specific answer. PowerShell was not (the actual line of PowerShell code was - and it's what you should have led with.)

What in heaven's name is the point in burying the lede?

 

[trevm999]

Which many of us don't even want to deal with. Forums such as these exist so that people can interact with other people, and when they have specific questions, which was the case here, what they're looking for are specific answers.

The NirSoft utility was a specific answer. PowerShell was not (the actual line of PowerShell code was - and it's what you should have led with.)

What in heaven's name is the point in burying the lede?

Replace ChatGPT with Google (which we can in this case) and that's saying most of you don't want to deal with searching for any solution yourselves.

It's perfectly valid for OP to what to know what other people are using. That is useful context, but techs shouldn't need to be spoonfed information. If OP was interested in that as a solution, they could have easily Googled it and then asked any questions if there was additional context they wanted to know. I'm pretty familiar with Powershell, but it's not like I know every command off the top of my head. I provided the information on the tool I use, I didn't think the OP was asking for a LMGTFY.

Today there was a specific utility for the purpose, but that is certainly not always the case. Poor OP was manually filtering data like it's the dark ages.

 

[britechguy]

@trevm999

Saying "PowerShell" as you did in the context you did is like answering the question, "Where do you live?," when it's being asked by someone trying to visit you with, "Pennsylvania." It's uselessly broad, and whether you like it or not, that kind of thing comes across as snarky and not helpful.

And on a group such as this, when a specific question is asked, I, personally, expect and give specific answers. I don't expect everyone to go out and research a broad area because I can't be bothered to state, in clear language, what it is I'm proposing. That's not spoonfeeding, that's being appropriately precise.

But with this, I'm out. This wasn't supposed to be a pissing match, and it's become one. You can take the feedback I've given, or not, but my position that you were being incredibly vague, to the extent that the reply was essentially useless, still stands.

 

[nlinecomputers]

There is spoonfeeding and then there is the opposite extreme.

 

[nlinecomputers]

The only problem in this situation is the fact that people do not understand just how many times they authenticate with a given system.

It's trivial to use the event viewer to read login failures, but if you try to interpret login success you're going to be in there ALL DAY because there are thousands of events over a given 24 hour period even on a single user system that see light use.

This. I have to ask and would ask the end user, what is the purpose of the request. What are they trying to figure out? I assume that they are concerned about his employees/coworkers accessing his system then he should change the password. If the hardware MUST be used by more than one employee then individual users should be created so that Joe Smith isn't snooping into Bob Jones's emails.

 

[britechguy]

I have to ask and would ask the end user, what is the purpose of the request. What are they trying to figure out?

Amen to that! And not just in this context.

I can't count the number of times where what was wanted, and what was being done to get it prior to any consultation with someone who knows what they're doing, are at a complete disconnect.

It's also interesting to see how often the requesting person has no clear idea of what it is they're trying to figure out. They have a vague discomfort about something, but can't even put their finger on what.

 

[HCHTech]

Some facts since this turned into such a thing:

• The reason the client was interested was that they were concerned someone else from the office had gained physical access to their computer. This was the controller's computer, so this would be a bad thing. We changed the user password within 5 minutes of their call. We also discussed adding Duo.
• I saved the event logs then as well to keep a copy from as soon after the suspected access as possible.
• I did google, of course - I'm not an idiot. In my analysis of the results, it would have taken a paid tool to get what I was after, so recognizing that this type of request is very rare for me, I decided it wasn't worth the $. After the Excel attempt failed, recognizing that both a) I didn't have time to spend all day on this task and b) the client wouldn't want to pay for me to spend all day on this task, I just went ahead an brute-forced the solution. It absolutely took longer than I thought it would, but still less than an hour, so in retrospect, my judgement call was correct on the value of my time vs. the cost of a tool (and it's potential learning curve) to make the job easier.
• The powershell command linked was designed to work on the live log on Windows, not on a saved log located elsewhere. I'm sure it could have been modified to do that, but that would also take more time and more education in powershell than I have. Also, just for fun, I ran the command on my own computer and while it did produce a long list of logins, it did NOT give dates and times. So that was the wrong command to give the results I was looking for.
• All-in-all, it took me 15 minutes to make the decision to do this the hard way, and 45 minutes to produce the list of logons. So it took me an hour, I'm billing an hour and the client got the answer they were looking for (no logins other than theirs when they were connected remotely). My question was valid on its face: "In case i have to do this job again, is there a better way". The answer was also provided with the link to Nirsoft's tool.
• I can imagine, though, that the next time I get a job like this, it will be something different where I want to search through the event logs looking for something else that Windows event viewer won't let me filter out easily. My mind was stuck on "event log analyzer" as opposed to "login verifier"; that's why I didn't find Nirsoft's tool on my own. This point is still valid, so who knows, maybe I WILL buy one of those tools just to have it in my quiver.

 

[Sky-Knight]

@HCHTech Microsoft's answer is to join the machine to Azure Active Directory, and then you can use the sign-in logs in the Azure Portal to get the details you want.

You can of course get it from the local event log, but that has issues... as you discovered. Azure makes this as easy as it can be. Downside? On Basic/Standard subs you've only got 14 days of logs.