Over time I will revise this; for now, I’m just dumping this here so I don’t lose it.
This pertains to Windows Vista, 7, 2008+ Event Logs simply because of the EventIDs used. You’d have to substitute accordingly to XP/2003 and so on.
LogParse SQL to retrieve all Remote Desktop logons (success or failure). JUST RDP.
SELECT timegenerated, EXTRACT_TOKEN(Strings,2,'|') AS Domain, EXTRACT_TOKEN(Strings,5,'|') AS UserName, EXTRACT_TOKEN(Strings,18,'|') AS IPAddress, EXTRACT_TOKEN(Strings,8,'|') AS LogonType, EventID, EventType FROM %Source% WHERE EventID=4624 and LogonType='10' ORDER BY timegenerated DESC
EventTypes
| 1 | Error |
| 2 | Warning |
| 4 | Information |
| 8 | Security audit success |
| 16 | Security audit failure |
Batch to run the SQL file.
logparser.exe -i:EVT file:test.sql?source=C:Security.evtx -o:DATAGRID
Note to self; I can change the ?source= as needed…
?source=Security – Security log of local system
?source=citrix1Security – Security log of remote system
?source=c:test.evtx – Local path to a saved EVTX file
Output Example…
To find FAILURES, I need to look at a SELECT * and figure out the EXTRACT_TOKENS since they don’t match a success. Bah-humbug.
