{"id":70573,"date":"2005-01-26T12:00:00","date_gmt":"2005-01-26T12:00:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/01\/26\/how-can-i-retrieve-information-from-my-event-logs-regarding-unsuccessful-logons\/"},"modified":"2005-01-26T12:00:00","modified_gmt":"2005-01-26T12:00:00","slug":"how-can-i-retrieve-information-from-my-event-logs-regarding-unsuccessful-logons","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-retrieve-information-from-my-event-logs-regarding-unsuccessful-logons\/","title":{"rendered":"How Can I Retrieve Information From My Event Logs Regarding Unsuccessful Logons?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I scan the event logs of my servers and return only information about unsuccessful logons?

— LC<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, LC. We\u2019ll assume that you have enabled security auditing on your servers. If you haven\u2019t, that\u2019s step one. What you\u2019ll want to do is – at a minimum – audit for logon event failures. That way every time someone tries – and fails – to log on to the computer, an event with a specific event code will be written to the Security event log. For member servers and workstations, the event code is 529; for domain controllers, the event code is 675. For our example, we\u2019ll use event code 529, simply because you referenced \u201cservers\u201d in your question rather than \u201cdomain controllers.\u201d<\/P>\n

Note<\/B>. There might be other event codes of interest to you as well; needless to say, the Scripting Guys are not security experts. For the sake of simplicity, though, we\u2019ll focus on 529 and 675, both of which represent \u201cunknown user name or bad password\u201d events. However, its\u2019 easy enough to modify the WQL query we\u2019ll be using to check for additional event codes.<\/P>\n

Budding crime scene investigators out there might have already spotted an important clue: unsuccessful logons are reported in the Security event log, and each one is branded with the same event code: 529. That suggests a solution to our problem: to get back information about unsuccessful logons, all we need to do is query the Security event log for all events that have an event code of 529.<\/P>\n

In other words:<\/P>

strComputer = “.”\nSet objWMIService = GetObject(“winmgmts:{(Security)}\\\\” & strComputer & “\\root\\cimv2”)<\/p>\n
Set colEvents = objWMIService.ExecQuery _\n        (“Select * from Win32_NTLogEvent Where Logfile = ‘Security’ and ” _\n            & “EventCode = ‘529’”)<\/p>\n
For Each objEvent in colEvents\n    Wscript.Echo “Category: ” & objEvent.Category\n    Wscript.Echo “Computer Name: ” & objEvent.ComputerName\n    Wscript.Echo “Event Code: ” & objEvent.EventCode\n    Wscript.Echo “Message: ” & objEvent.Message\n    Wscript.Echo “Record Number: ” & objEvent.RecordNumber\n    Wscript.Echo “Source Name: ” & objEvent.SourceName\n    Wscript.Echo “Time Written: ” & objEvent.TimeWritten\n    Wscript.Echo “Event Type: ” & objEvent.Type\n    Wscript.Echo “User: ” & objEvent.User\nNext\n<\/PRE>\n
Elementary, my dear Watson. The only thing out of the ordinary occurs when we connect to the WMI service. To do that, we must include the (Security)<\/B> privilege (enclosed in square braces), like so:<\/P>
Set objWMIService = GetObject(“winmgmts:{(Security)}\\\\” & strComputer & “\\root\\cimv2”)\n<\/PRE>\n
You need to include this privilege in your script any time you want to access the Security event log. On top of that you (or at least your user account) must already possess the right to access the Security event log; including the privilege in the script won\u2019t magically bestow this right on you. On the other hand, leaving the privilege out of the script will prevent you from accessing the Security event log, regardless of any rights, privileges, and permissions your user account might have.<\/P>\n
After making the connection we simply select all instances of the Win32_NTLogEvent<\/B> class where the Logfile<\/B> is equal to Security and the EventCode<\/B> is equal to 529. That returns a collection of unsuccessful logon events, which we proceed to echo back to the screen.<\/P>\n
This particular script returns a list of all<\/I> the unsuccessful logon events. It\u2019s possible that you might want to retrieve those events only for a specified time period (for example, only unsuccessful logons from yesterday or for last week). Likewise, you might want to set up a monitoring system that would allow for instant notification any time such an event occurred. That sort of things lies a bit outside the scope of this column, but for more information and for sample scripts you might take a look at the Logs chapter<\/B><\/A> in the Microsoft Windows 2000 Scripting Guide<\/I>.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I scan the event logs of my servers and return only information about unsuccessful logons?— LC Hey, LC. We\u2019ll assume that you have enabled security auditing on your servers. If you haven\u2019t, that\u2019s step one. What you\u2019ll want to do is – at a minimum – audit for logon event […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,98,3,5],"class_list":["post-70573","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-logs-and-monitoring","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I scan the event logs of my servers and return only information about unsuccessful logons?— LC Hey, LC. We\u2019ll assume that you have enabled security auditing on your servers. If you haven\u2019t, that\u2019s step one. What you\u2019ll want to do is – at a minimum – audit for logon event […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70573","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=70573"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70573\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=70573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=70573"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=70573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}