Chapter 6. Using PowerShell to audit user logon events

Mike F. Robbins

Event logs are special files on Windows-based workstations and servers that record system activity. Do you want to know if there’s a problem with your Windows-based servers? Almost anything you’d want to know about what has occurred on your servers, whether an informational event, a warning, an error, or a security event, is contained in the event logs. When’s the last time you took a look at all of the event logs on each of your servers?

Beginning with Windows Vista and Windows Server 2008 the event logs were redesigned in an XML-based log format, and newer operating systems such as Windows Server 2012 can contain over 200 different event logs, depending on what roles have been enabled. Each of these event logs is an individual file located in the %SystemRoot%\System32\Winevt\Logs folder by default. Event Viewer is the graphical user interface tool that most administrators are familiar with when it comes to event logs, but with an overwhelming amount of data being contained in so many individual logs on each of their servers, administrators have to learn more efficient ways to retrieve the specific information they’re looking for.

Event log basics

Querying the event logs with PowerShell

Auditing logon failures

Auditing logon type and authentication protocol

Auditing Active Directory user-account lockout events


About the author