Windows Event Viewer is a gold mind of security information. However to find the nuggets you often have to chip away all of the useless “rock”.
I was recently tasked with finding all of the “human” logins into a particular server in our environment for a given time period. To complicate matters, there are several service accounts which login to this server ever minute or so. This floods the security log with data that is useless for my purposes.
Event Viewer is a bit of a pain to use as you can’t easily filter OUT and exclude logs you don’t want. So if you aren’t looking for something very specific it can be tough to get at what you actually want.
However, Event logs are in XML format and with a little bit of patience and a good text editor you can craft some things in code to get to where you want. In typical fashion, this took me a couple of hours of digging to finally put together the code that worked for me and as I can easily see using this again in the future, I am archiving it here as a personal resource. I hope it save you all some time as well.
Inside of event viewer, open up the security event log. On the right-had side, you should have the option to “filter current log” – click this. (more…)