How can I track successful logins and disconnects?

0

1

I am trying to track every time a user remotes into a computer and every time they disconnect. I am using Powershell to do this. This is what I am using to do this

Get-WinEvent -Computer $env:ComputerName -FilterHashTable @{LogName='Security';ID=4634,4672} | Select-Object @{N='User';E={$_.Properties[1].Value}},TimeCreated,ID,$MachineNameProperty

Correct me if I'm wrong but my problem is that the event 4634 can apply for a failed login event too. I want just the successful events. Also event 4672 seems to apply only when admins login, again correct me if I'm wrong, but I want the successful login of any user. How do I track only the successful logins and disconnects of any user? Which event log is best suited for this? I would like the log to be able to provide user info as well. Event ID 4624 doesn't always provide user info.

techguy1029

Posted 2019-08-07T21:14:31.020

Reputation: 127

I think Get-EventLog will work for you. Example of getting all the succesfull audit events: Get-EventLog -LogName Security -EntryType SuccessAudit – Smeerpijp – 2019-08-09T07:22:20.307

@Smeerpijp I get multiple of these events if someone logs in once. If a user logins in, it will generate two or three login events along with a logoff event. How can I filter through this? – techguy1029 – 2019-08-15T18:47:59.880

1You can filter on EventID with the InstanceID switch. Example: Get-EventLog -InstanceId 4624 -LogName Security -EntryType SuccessAudit – Smeerpijp – 2019-08-16T07:22:37.427

Answers

0

If anyone stumbles onto this, this helped me out:

#Win Event Filters/Properties
$LogFilter = @{LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
            ID = 21, 23, 24, 25
            }

$ActionProperty = @{Name='Action';Expression={
                if ($_.ID -eq '21'){"logon"}
                if ($_.ID -eq '22'){"Shell start"}
                if ($_.ID -eq '23'){"logoff"}
                if ($_.ID -eq '24'){"disconnected"}
                if ($_.ID -eq '25'){"reconnection"}
                }}


#Get Records
$LoginRecords = Get-WinEvent -FilterHashtable $LogFilter | Where-Object{($_.TimeCreated -ge (Get-Date).AddMinutes(-600))} | Select-Object $ActionProperty,$UserProperty,MachineName,$TimeProperty | Sort-Object -Property TimeCreated -Descending -Unique

The log Microsoft Windows Terminal Services/ Local Session Manager/ Operational was the most helpful when finding logins and logouts. This log had less events when compared to other logs so for the most part it was cleaner and easier to understand. If you're using powershell to audit this stuff, make sure you use the -Unique switch to make sure you only get the one logon event and not the other two or three other events that are generated along with it at times.

techguy1029

Posted 2019-08-07T21:14:31.020

Reputation: 127

Asked: 2019-08-07T21:14:31.020

Viewed: 117 times

Active: 2019-08-21T23:40:25.053