Guest Mark Scholl Posted August 22, 2007 Posted August 22, 2007 I have a Bank client where the examiners have requested that the security event log be dumped, printed and reviewed daily for events showing user login and logout events. They have only one domain controller. Event ID's 538 and 540 appear to be the events I would like to filter. However, There are many events from the system user that I would like to exclude using these event ID's. I've looked at PSLogList from the PSTools suite but I don't find a switch to exclude the events from the system user. Any easy options? mark scholl
Guest Mathieu CHATEAU Posted August 22, 2007 Posted August 22, 2007 Re: Security event log parsing hello, did you try: psloglist.exe \\remotedc -i 538,540 -x security ? -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Mark Scholl" <mscholl@lcvcpa.com> wrote in message news:e0zjtoM5HHA.4436@TK2MSFTNGP03.phx.gbl... >I have a Bank client where the examiners have requested that the security >event log be dumped, printed and reviewed daily for events showing user >login and logout events. They have only one domain controller. > > Event ID's 538 and 540 appear to be the events I would like to filter. > However, There are many events from the system user that I would like to > exclude using these event ID's. > > I've looked at PSLogList from the PSTools suite but I don't find a switch > to exclude the events from the system user. > > Any easy options? > > mark scholl >
Guest Mark Scholl Posted August 22, 2007 Posted August 22, 2007 Re: Security event log parsing This syntax does not filter out filter out events from user "NT Authority\System". I want to parse out events created by non-user accounts. "Mathieu CHATEAU" <gollum123@free.fr> wrote in message news:eio9$LO5HHA.3716@TK2MSFTNGP03.phx.gbl... > hello, > > did you try: > psloglist.exe \\remotedc -i 538,540 -x security ? > > > > -- > Cordialement, > Mathieu CHATEAU > http://lordoftheping.blogspot.com > > > "Mark Scholl" <mscholl@lcvcpa.com> wrote in message > news:e0zjtoM5HHA.4436@TK2MSFTNGP03.phx.gbl... >>I have a Bank client where the examiners have requested that the security >>event log be dumped, printed and reviewed daily for events showing user >>login and logout events. They have only one domain controller. >> >> Event ID's 538 and 540 appear to be the events I would like to filter. >> However, There are many events from the system user that I would like to >> exclude using these event ID's. >> >> I've looked at PSLogList from the PSTools suite but I don't find a switch >> to exclude the events from the system user. >> >> Any easy options? >> >> mark scholl >> >
Guest Mathieu CHATEAU Posted August 22, 2007 Posted August 22, 2007 Re: Security event log parsing ok i didn't understand your problem, sorry. You may turn to vbscript to achieve this (or even powershell) -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Mark Scholl" <mscholl@lcvcpa.com> wrote in message news:eRKrX9O5HHA.1188@TK2MSFTNGP04.phx.gbl... > This syntax does not filter out filter out events from user "NT > Authority\System". I want to parse out events created by non-user > accounts. > > "Mathieu CHATEAU" <gollum123@free.fr> wrote in message > news:eio9$LO5HHA.3716@TK2MSFTNGP03.phx.gbl... >> hello, >> >> did you try: >> psloglist.exe \\remotedc -i 538,540 -x security ? >> >> >> >> -- >> Cordialement, >> Mathieu CHATEAU >> http://lordoftheping.blogspot.com >> >> >> "Mark Scholl" <mscholl@lcvcpa.com> wrote in message >> news:e0zjtoM5HHA.4436@TK2MSFTNGP03.phx.gbl... >>>I have a Bank client where the examiners have requested that the security >>>event log be dumped, printed and reviewed daily for events showing user >>>login and logout events. They have only one domain controller. >>> >>> Event ID's 538 and 540 appear to be the events I would like to filter. >>> However, There are many events from the system user that I would like to >>> exclude using these event ID's. >>> >>> I've looked at PSLogList from the PSTools suite but I don't find a >>> switch to exclude the events from the system user. >>> >>> Any easy options? >>> >>> mark scholl >>> >> > >
Recommended Posts