{"id":71143,"date":"2004-10-26T15:28:00","date_gmt":"2004-10-26T15:28:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2004\/10\/26\/hey-scripting-guy-can-i-retrieve-just-failure-events-from-the-security-event-log\/"},"modified":"2004-10-26T15:28:00","modified_gmt":"2004-10-26T15:28:00","slug":"hey-scripting-guy-can-i-retrieve-just-failure-events-from-the-security-event-log","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-can-i-retrieve-just-failure-events-from-the-security-event-log\/","title":{"rendered":"Hey, Scripting Guy! Can I Retrieve Just Failure Events from the Security Event Log?"},"content":{"rendered":"

\"Hey, <\/H2>\n

Hey, Scripting Guy! Is there a way to retrieve just Failure Audit events from the Security event log?

— KA<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, KA. Interesting, isn\u2019t it: any time the subject is failure, people turn to the Scripting Guys. What makes you think we know anything about failure?<\/P>\n

Ok, you\u2019re right: silly question. As far as your<\/I> question goes, it\u2019s very easy to retrieve just Security Failure Audit events from the Security event log; in fact, we just happened to have a script lying around that does that very thing:<\/P>

strComputer = “.”\nSet objWMIService = GetObject(“winmgmts:” _\n    & “{impersonationLevel=impersonate,(Security)}!\\\\” & _\n        strComputer & “\\root\\cimv2”)\nSet colLoggedEvents = objWMIService.ExecQuery _\n    (“Select * FROM Win32_NTLogEvent WHERE Logfile = ‘Security’ ” & _\n        “AND EventType = 5”)\nFor Each objEvent in colLoggedEvents\n    Wscript.Echo “===================================================”\n    Wscript.Echo “Category: ” & objEvent.Category\n    Wscript.Echo “Computer Name: ” & objEvent.ComputerName\n    Wscript.Echo “Event Code: ” & objEvent.EventCode\n    Wscript.Echo “Message: ” & objEvent.Message\n    Wscript.Echo “Record Number: ” & objEvent.RecordNumber\n    Wscript.Echo “Source Name: ” & objEvent.SourceName\n    Wscript.Echo “Time Written: ” & objEvent.TimeWritten\n    Wscript.Echo “Event Type: ” & objEvent.Type\n    Wscript.Echo “User: ” & objEvent.User\n    Wscript.Echo\nNext\n<\/PRE>\n
A pretty simple little script, but there are at least two things you should take note of. First, notice that we included the (Security)<\/B> parameter when connecting to WMI:<\/P>
Set objWMIService = GetObject(“winmgmts:” _\n    & “{impersonationLevel=impersonate,(Security)}!\\\\” & _\n        strComputer & “\\root\\cimv2”)\n<\/PRE>\n
You must include this parameter any time you\u2019re working with the Security event log; leave it out, and the script won\u2019t work. And, yes, we know<\/I> you\u2019re a local administrator and we know<\/I> you have the right to read the Security event log. For better or worse, though, WMI doesn\u2019t care about that: you still have to include the (Security)<\/B> parameter. <\/P>\n
Second, note the two parts of our WHERE clause:<\/P>
(“Select * from Win32_NTLogEvent WHERE Logfile = ‘Security’ ” & _\n        “AND EventType = 5”)\n<\/PRE>\n
For this script, we only want to retrieve events that meet two criteria: they\u2019re recorded in the Security event log, and they have an EventType of 5. As you probably figured out, in WMI-speak an EventType of 5 means a Failure Audit. Alternatively, you could search for EventTypes of 1 (Error), 2 (Warning), 3 (Information), or 4 (Security Audit Success). Because we want Failure Audit events, we look for events in the Security Logfile<\/B> with an EventType<\/B> of 5. Thus:<\/P>
WHERE Logfile = ‘Security’ AND EventType = 5\n<\/PRE>\n
Cool, huh? If you\u2019d like more information about working with event logs (including some sample queries you might find useful), check out the Logs chapter<\/B><\/A> in the Microsoft Windows 2000 Scripting Guide.<\/P>\n
And as long as we have your attention, we might want to add one more thing. The script, as it currently stands, will display the TimeWritten property (that is, the date and time that the event was recorded in the event log) using WMI\u2019s default Universal Time Coordinate format. In other words, you\u2019ll get back results similar to this:<\/P>
20041025124000.000000-420\n<\/PRE>\n
How \u2026 nice \u2026. But don\u2019t despair. Here\u2019s a modified version of the script that includes a function (WMIDateStringTodate) that will convert this UTC value to something a bit easier to read:<\/P>
strComputer = “.”\nSet objWMIService = GetObject(“winmgmts:” _\n    & “{impersonationLevel=impersonate,(Security)}!\\\\” & _\n        strComputer & “\\root\\cimv2”)\nSet colLoggedEvents = objWMIService.ExecQuery _\n    (“Select * FROM Win32_NTLogEvent WHERE Logfile = ‘Security’ ” & _\n        “AND EventType = 5”)\nFor Each objEvent in colLoggedEvents\n    Wscript.Echo “===================================================”\n    Wscript.Echo “Category: ” & objEvent.Category\n    Wscript.Echo “Computer Name: ” & objEvent.ComputerName\n    Wscript.Echo “Event Code: ” & objEvent.EventCode\n    Wscript.Echo “Message: ” & objEvent.Message\n    Wscript.Echo “Record Number: ” & objEvent.RecordNumber\n    Wscript.Echo “Source Name: ” & objEvent.SourceName\n    dtmEventDate = objEvent.TimeWritten\n    strTimeWritten = WMIDateStringToDate(dtmEventDate)\n    Wscript.Echo “Time Written: ” & strTimeWritten\n    Wscript.Echo “Event Type: ” & objEvent.Type\n    Wscript.Echo “User: ” & objEvent.User\n    Wscript.Echo\nNext<\/p>\n
Function WMIDateStringToDate(dtmEventDate)\n    WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & “\/” & _\n        Mid(dtmEventDate, 7, 2) & “\/” & Left(dtmEventDate, 4) _\n            & ” ” & Mid (dtmEventDate, 9, 2) & “:” & _\n                Mid(dtmEventDate, 11, 2) & “:” & Mid(dtmEventDate, _\n                    13, 2))\nEnd Function\n<\/PRE>\n
We won\u2019t bother explaining how this works today, but if you have any questions about it, let us know. Maybe we\u2019ll go into it in more detail in a future column.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! Is there a way to retrieve just Failure Audit events from the Security event log?— KA Hey, KA. Interesting, isn\u2019t it: any time the subject is failure, people turn to the Scripting Guys. What makes you think we know anything about failure? Ok, you\u2019re right: silly question. As far as your question […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,98,3,5],"class_list":["post-71143","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-logs-and-monitoring","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! Is there a way to retrieve just Failure Audit events from the Security event log?— KA Hey, KA. Interesting, isn\u2019t it: any time the subject is failure, people turn to the Scripting Guys. What makes you think we know anything about failure? Ok, you\u2019re right: silly question. As far as your question […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/71143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=71143"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/71143\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=71143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=71143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=71143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}