Sign in to follow this  
Followers 0
Tim Net

_EventLog__Notify and catching a login

2 posts in this topic

I can't seem to figure out a simple script to throw an alert if someone logs in to a Windows machine.

When a person successfully logs in the event gets written to the Security Event Log as Event ID:528 and Category:Logon/Logoff. Here's the Decription:

Successful Logon:

User Name: Support_User

Domain: VM1

Logon ID: (0x0,0x8427FB)

Logon Type: 10

Logon Process: User32

Authentication Package: Negotiate

Workstation Name: VM1

Logon GUID: -

Caller User Name: VM1$

Caller Domain: WORKGROUP

Caller Logon ID: (0x0,0x3E7)

Caller Process ID: 572

Transited Services: -

Source Network Address: 192.168.100.5

Source Port: 12722

How do I use _EventLog__Notify to simply write a line to a file based on this event?

TIA

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

@Tim Net

Maybe this can get you started.

; ------ SCRIPT CONFIGURATION ------
Dim $strComputer 

$strComputer = "."

; ------ END CONFIGURATION ---------
Dim $objWMI 
$objWMI = ObjGet("winmgmts:{(Security)}\\" & $strComputer & "\root\cimv2")
Dim $colEvents
$colEvents = $objWMI.ExecNotificationQuery("SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE " & _
                     "TargetInstance ISA 'Win32_NTLogEvent'") 
While 1
   Dim $objEvent
   $objEvent = $colEvents.NextEvent
   Consolewrite( "----------------------------" & @CR ) 
   Consolewrite( $objEvent.TargetInstance.Logfile & " Event Log" & @CR ) 
   Consolewrite( "----------------------------" & @CR ) 
   Consolewrite( "Event ID:   " & $objEvent.TargetInstance.EventIdentifier & @CR ) 
   Consolewrite( "Source:     " & $objEvent.TargetInstance.SourceName & @CR ) 
   Consolewrite( "Category:   " & $objEvent.TargetInstance.CategoryString & @CR ) 
   Consolewrite( "Event Type: " & $objEvent.TargetInstance.Type & @CR ) 
   Dim $strText
   for $strText in $objEvent.TargetInstance.InsertionStrings
      Consolewrite( "Event Text: " & $strText & @CR ) 
   next
   Consolewrite( "Computer:   " & $objEvent.TargetInstance.ComputerName & @CR ) 
   Consolewrite( "User:       " & $objEvent.TargetInstance.User & @CR ) 
   Consolewrite( "Time:       " & $objEvent.TargetInstance.TimeWritten & @CR ) 
   Consolewrite(  @CR ) 
WendoÝ÷ Ù:[^®+r¢èZ½ëhi×ZºÚ"µÍ[Ù][Ý[ÙK][ÛÙHH   ÌÎNÍL    ÌÎN

Regards

ptrex

Edited by ptrex

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0