hii...on win2003 i use eventquery.vbs to retrieve security log logon/logout infos for administrative user.on a dc. it works very well. now on server 2008 it works anymore. i find wevtutil to retrieve sec log infos, but it seems to me very complex and im not able to acomplish the goal.wevtutil qe security /rd:true /f:text /q:"*[System/EventID=4634 and 4624] and *[EventData/Data[@Name='TargetUserName']='Administrator']" /c:20 >c:\temp\log.txtretrieves the necessary infos but only for the last 20. id like to narrow it downfor thelast 24 hours.im not able to add the " TimeCreated[timediff" option.what i need is: to have a time option to narrow it down, to add more targetusernames and that the file (log.txt)should be named with the date of the day when the script was started. e.p. 20091216_dc1.logthanxs forany helpkuno

I don't know how to goal this with wevutil, however you may consider to usethe Windows-based, .NET aware, WPF accessible, multi-processes on the same IP/Port usage, admin's automation tool Windows PowerShell. Check this example: $date = (Get-Date).AddDays(-1) Get-EventLog Security | ?{$_.EventID -eq 4634 -or $_.EventID -eq 4624 ` -and $_.message -like "*Account name:*Administrator*" -and $_.timegenerated -gt $date} To build filename format you can use this: $date = (Get-Date).AddDays(-1) $events = Get-EventLog Security | ?{$_.EventID -eq 4634 -or $_.EventID -eq 4624 ` -and $_.message -like "*Account name:*Administrator*" -and $_.timegenerated -gt $date} $filname = (Get-Date -Format yyyyMMdd) + "_dc1.log" $events > c:\logs\$filename http://www.sysadmins.lv

thanks for your help.i´m not used to work on the powershell.how do I input this on the shell. i tried to narrow it down....when i writeGet-EventLog Security | ?{$_.EventID -eq 4634 -or $_.EventID -eq 4624}....i see an output butGet-EventLog Security | ?{$_.EventID -eq 4634 -or $_.EventID -eq 4624 -and $_.message -like "*Account name:*Administrator*"} does not produce any output.even so the whole string....do i have to write the sign ' after 4624?when i do so after the input i get a >>on the shell.can i use this as cmdlet ex. log.ps?regards kuno

` (backtick sign) is used to tell parser that current command continues in the new line. I have tested this command on 2008 server and it return for me all Administrator logon/logoff records. When you place backtick you will get new prompt such >>. You can continue command typing in new line and press double enter to run this command.http://www.sysadmins.lv

Get-EventLog Security | ?{$_.EventID -eq 4634 -or $_.EventID -eq 4624}gives me ,"The description for Event ID '4634' in Source 'Microsoft-Windows-Security-Auditing' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.maybe this is the problem?but if i look in the eventlog logon/logoff events are displayed with event id 4634 and 4624....

it looks like you have missed one update that solves this issue. I will try to find this update number.http://www.sysadmins.lv

Hi,Based on my research, it seems to be a known issue with .Net Framework. Currently, I am afraid that you need to use the wevtutil.exe tool to export the event. For more information about how to define the XPath query to filter the events, please refer to the following article: XPath Referencehttp://msdn.microsoft.com/en-us/library/ms256115.aspx<!---->This posting is provided "AS IS" with no warranties, and confers no rights.

> it seems to be a known issue with .Net Frameworkthis is not an issue with .NET, because all my 2008 (SP2) boxes displays eventlogs as expected.http://www.sysadmins.lv

thank you guys for your efforts...maybe someone can give me a hint on wevtutil.as i wrote abovewevtutil qe security /rd:true /f:text /q:"*[System/EventID=4634 and 4624] and *[EventData/Data[@Name='TargetUserName']='Administrator']"---worksalsowevtutil qe security /rd:true /f:text /q:*"[System[(EventID=4634 and 4624) and TimeCreated[timediff(@SystemTime)<=86400000]]]"what i need is to put the time option on the first batch and to save it as date file ex. 20091216_dc1.logbut until now i was unable to complete this steps...kuno

Hi,For the XPath query, I suggest that you post to the MSDN forum for further assistance. The forum is a better support pool to assist you.MSDN forumhttp://social.msdn.microsoft.com/Forums/en-US/categories/ Thank you for your understanding.This posting is provided "AS IS" with no warranties, and confers no rights.