Tina's statement is correct, but I think Bruno's problem is slightly
different- he wants to filter a single machine's log on an insertion
string.
Using WMI, you can directly access an event's insertion strings,
enabling the query you're asking about. Here's some sample VBScript
that will get you the first 90% of the way, the second 90% is up to you.
No, I won't give any further programming assistance 'cause it took me
too long to figure this out myself :-)
---CUT HERE---
'security
On Error Resume Next
strComputer = "."
Set objWMIService =
GetObject("winmgmts:{impersonationLevel=impersonate,(security)}\\" &
strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
Where Logfile='Security'",,48)
For Each objItem in colItems
Wscript.Echo "Timestamp: " & objItem.TimeGenerated
Wscript.Echo "User: " & objItem.User
Wscript.Echo "Computer: " & objItem.ComputerName
Wscript.Echo "Type: " & objItem.Type
Wscript.Echo "Source: " & objItem.SourceName
Wscript.Echo "Category: " & objItem.CategoryString
Wscript.Echo "Event ID: " & objItem.EventIdentifier
Wscript.Echo "Description:"
for each insertString in objItem.InsertionStrings
WScript.Echo " " & insertString
next
Wscript.Echo
Next
---CUT HERE---
Eric
The above message is provided "AS-IS" with no warranty, and confers no
rights.
-----Original Message-----
From: loganalysis-bounces@lists.shmoo.com
[mailto:loganalysis-bounces@lists.shmoo.com] On Behalf Of Tina Bird
Sent: Friday, June 27, 2003 8:57 AM
To: Bruno Osuch
Cc: 'loganalysis@lists.shmoo.com'
Subject: Re: [logs] FW: Windows Auditing question
On Fri, 27 Jun 2003, Bruno Osuch wrote:
> > Hello. My supervisor has asked me to start monitoring bad or failed
> > logon attempts for users. I set up auditting but the "windows Event
viewer"
> does
> > not give me the proper data. I am running NT 4 server sp6a. The
> > column
> for
> > username just gives me "system" & the computer description is always
> > the $pdc" computer name. I have to open each event in "details" to
> > get the
> info
> > for individuals. When I "export" the data to xls I still only get
> > the generic data NOT the detailed info I need to determine the
> > "username & computer" the failed attempts are comming from. Any way
> > to do this? Or what am I missing here?
you're in a windows NT environment, right? and clearly there's a domain
involved. it sounds like you've enabled login auditing on the primary
domain controller. unfortunately, on an NT 4 domain, the events for
user login and logout are only recorded on the local workstations, not
on the domain controller.
so you can either grab logs from all your workstations, or upgrade to
win2k that records domain logins at the domain controller.
i'll see if i can find a reference to this, but i've got to go to a
meeting...
HTH -- tbird
--
I was being patient, but it took too long.
-- Anya, BtVS
http://www.shmoo.com/~tbird
Log Analysis http://www.loganalysis.org
VPN http://vpn.shmoo.com
tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Jul 02 2003 - 13:27:45 PDT