Extracting from Security Log

Hi Scripting Experts,

I'm trying to write a script to log Domain Logon Failures, rather than
trawling thru our DCs logs. For the moment I'm happy with getting
output, rather than just logging to a file.

So far I have is the following which outputs the number of Domain
Logon Failures as indicated by Event ID 675.

My question - how do I go about extracting the username and time the
event was logged? Scripomatic doesn't seem to mention this for the
Win32_NTLogEvent collection. Here's my script so far, help much
appreciated.

'VBScript to check the Security Log for Logon Faillures
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
& "EventCode = '675'")
Wscript.Echo "Domain Logon Failures: " & colLoggedEvents.Count

Daryl
Fri Aug 13 12:02:09 CDT 2004

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security' and
EventCode = '675'")
For Each objEvent in colLoggedEvents
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
Next









"Sean" <pne1881@yahoo.ie> wrote in message
news:2d3ba3.0408130810.79faf729@posting.google.com...
> Hi Scripting Experts,
>
> I'm trying to write a script to log Domain Logon Failures, rather than
> trawling thru our DCs logs. For the moment I'm happy with getting
> output, rather than just logging to a file.
>
> So far I have is the following which outputs the number of Domain
> Logon Failures as indicated by Event ID 675.
>
> My question - how do I go about extracting the username and time the
> event was logged? Scripomatic doesn't seem to mention this for the
> Win32_NTLogEvent collection. Here's my script so far, help much
> appreciated.
>
> 'VBScript to check the Security Log for Logon Faillures
> strComputer = "."
> Set objWMIService = GetObject("winmgmts:" _
> & "{impersonationLevel=impersonate,(Security)}!\\" & _
> strComputer & "\root\cimv2")
> Set colLoggedEvents = objWMIService.ExecQuery _
> ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
> & "EventCode = '675'")
> Wscript.Echo "Domain Logon Failures: " & colLoggedEvents.Count

Torgeir
Fri Aug 13 12:15:50 CDT 2004

Daryl wrote:

> strComputer = "."
> Set objWMIService = GetObject("winmgmts:" _
> & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

To access the Security event log, you need to take the
Security privilege, like this:

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")


> Set colLoggedEvents = objWMIService.ExecQuery _
> ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and
> EventCode = '675'")
> For Each objEvent in colLoggedEvents
> Wscript.Echo "Category: " & objEvent.Category
> Wscript.Echo "Computer Name: " & objEvent.ComputerName
> Wscript.Echo "Event Code: " & objEvent.EventCode
> Wscript.Echo "Message: " & objEvent.Message
> Wscript.Echo "Record Number: " & objEvent.RecordNumber
> Wscript.Echo "Source Name: " & objEvent.SourceName
> Wscript.Echo "Time Written: " & objEvent.TimeWritten
> Wscript.Echo "Event Type: " & objEvent.Type
> Wscript.Echo "User: " & objEvent.User
> Next


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx