Security event log parsing

  • Thread starter Thread starter Mark Scholl
  • Start date Start date
M

Mark Scholl

Guest
I have a Bank client where the examiners have requested that the security
event log be dumped, printed and reviewed daily for events showing user
login and logout events. They have only one domain controller.

Event ID's 538 and 540 appear to be the events I would like to filter.
However, There are many events from the system user that I would like to
exclude using these event ID's.

I've looked at PSLogList from the PSTools suite but I don't find a switch to
exclude the events from the system user.

Any easy options?

mark scholl
 
Re: Security event log parsing

hello,

did you try:
psloglist.exe \\remotedc -i 538,540 -x security ?



--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Mark Scholl" <mscholl@lcvcpa.com> wrote in message
news:e0zjtoM5HHA.4436@TK2MSFTNGP03.phx.gbl...
>I have a Bank client where the examiners have requested that the security
>event log be dumped, printed and reviewed daily for events showing user
>login and logout events. They have only one domain controller.
>
> Event ID's 538 and 540 appear to be the events I would like to filter.
> However, There are many events from the system user that I would like to
> exclude using these event ID's.
>
> I've looked at PSLogList from the PSTools suite but I don't find a switch
> to exclude the events from the system user.
>
> Any easy options?
>
> mark scholl
>
 
Re: Security event log parsing

This syntax does not filter out filter out events from user "NT
Authority\System". I want to parse out events created by non-user accounts.

"Mathieu CHATEAU" <gollum123@free.fr> wrote in message
news:eio9$LO5HHA.3716@TK2MSFTNGP03.phx.gbl...
> hello,
>
> did you try:
> psloglist.exe \\remotedc -i 538,540 -x security ?
>
>
>
> --
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> "Mark Scholl" <mscholl@lcvcpa.com> wrote in message
> news:e0zjtoM5HHA.4436@TK2MSFTNGP03.phx.gbl...
>>I have a Bank client where the examiners have requested that the security
>>event log be dumped, printed and reviewed daily for events showing user
>>login and logout events. They have only one domain controller.
>>
>> Event ID's 538 and 540 appear to be the events I would like to filter.
>> However, There are many events from the system user that I would like to
>> exclude using these event ID's.
>>
>> I've looked at PSLogList from the PSTools suite but I don't find a switch
>> to exclude the events from the system user.
>>
>> Any easy options?
>>
>> mark scholl
>>
>
 
Re: Security event log parsing

ok i didn't understand your problem, sorry.

You may turn to vbscript to achieve this (or even powershell)

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Mark Scholl" <mscholl@lcvcpa.com> wrote in message
news:eRKrX9O5HHA.1188@TK2MSFTNGP04.phx.gbl...
> This syntax does not filter out filter out events from user "NT
> Authority\System". I want to parse out events created by non-user
> accounts.
>
> "Mathieu CHATEAU" <gollum123@free.fr> wrote in message
> news:eio9$LO5HHA.3716@TK2MSFTNGP03.phx.gbl...
>> hello,
>>
>> did you try:
>> psloglist.exe \\remotedc -i 538,540 -x security ?
>>
>>
>>
>> --
>> Cordialement,
>> Mathieu CHATEAU
>> http://lordoftheping.blogspot.com
>>
>>
>> "Mark Scholl" <mscholl@lcvcpa.com> wrote in message
>> news:e0zjtoM5HHA.4436@TK2MSFTNGP03.phx.gbl...
>>>I have a Bank client where the examiners have requested that the security
>>>event log be dumped, printed and reviewed daily for events showing user
>>>login and logout events. They have only one domain controller.
>>>
>>> Event ID's 538 and 540 appear to be the events I would like to filter.
>>> However, There are many events from the system user that I would like to
>>> exclude using these event ID's.
>>>
>>> I've looked at PSLogList from the PSTools suite but I don't find a
>>> switch to exclude the events from the system user.
>>>
>>> Any easy options?
>>>
>>> mark scholl
>>>
>>
>
>
 
Back
Top