Hello,
I'm trying to write a script that will pull the interactive logon/logoff entries for a specific user in Event Viewer via powershell. I've tried several scripts like the one below, but they are giving me inaccurate entries. For instance I ran the one below yesterday on my local computer and again today and it's missing the logon and logoff entries for yesterday. Can anybody assist me.
Thanks in advance,
# Variables
# Reads the hostname, sets to the local hostname if left blank
$hostname = read-host "Enter the IP or hostname of the computer you wish to scan (Leave blank for local)"
if ($hostname.length -eq 0){$hostname = $env:computername}
# Reads the start date, sets to 1/1/2015 if left blank
$startTmp = read-host "Enter the start date to scan from (MM/DD/YYYY, default 1/1/2015)"
if ($startTmp.length -eq 0){$startTmp = "1/1/2015"}
$startDate = get-date $startTmp
# Reads the end date, sets to the current date and time if left blank
$endTmp = read-host "Enter the end date to scan to (MM/DD/YYYY, default current time)"
if ($endTmp.length -eq 0){$endTmp = get-date}
$endDate = get-date $endTmp
# Reads a Yes or No response to print only the failed login attempts, defaults to No
$scope = read-host "Print only failed logins (Y/N, default N)"
if ($scope.length -eq 0){$scope = "N"}
# Writes a line with all the parameters selected for report
write-host "Hostname: "$hostname "`tStart: "$startDate "`tEnd: "$endDate "`tOnly Failed Logins: "$scope "`n"
# Store each event from the Security Log with the specificed dates and computer in an array
$log = Get-Eventlog -LogName Security -ComputerName $hostname -after $startDate -before $endDate
# Loop through each security event, print only failed login attempts
if ($scope -match "Y"){
foreach ($i in $log){
# Logon Failure Events, marked red
# Local
if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){
write-host "Type: Local Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] -foregroundcolor "red"
}
# Remote
if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){
write-host "Type: Remote Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] "`tIP Address: "$i.ReplacementStrings[19] -foregroundcolor
"red"
}
}
}
# Loop through each security event, print all login/logoffs with type, date/time, status, account name, and IP address if remote
else{
foreach ($i in $log){
# Logon Successful Events
# Local (Logon Type 2)
if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 2)){
write-host "Type: Local Logon`tDate: "$i.TimeGenerated "`tStatus: Success`tUser: "$i.ReplacementStrings[5]
}
# Remote (Logon Type 10)
if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 10)){
write-host "Type: Remote Logon`tDate: "$i.TimeGenerated "`tStatus: Success`tUser: "$i.ReplacementStrings[5] "`tIP Address: "$i.ReplacementStrings[18]
}
# Logon Failure Events, marked red
# Local
if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){
write-host "Type: Local Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] -foregroundcolor "red"
}
# Remote
if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){
write-host "Type: Remote Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] "`tIP Address: "$i.ReplacementStrings[19] -foregroundcolor
"red"
}
# Logoff Events
if ($i.EventID -eq 4647 ){
write-host "Type: Logoff`t`tDate: "$i.TimeGenerated "`tStatus: Success`tUser: "$i.ReplacementStrings[1]
}
}
}
Other recent topics
