Question for the MS folks

Here is the situation. I need to track a particular users logon activity (how many times a day, what time, how often and from what IP, the later is extremely important). I know this is tracked in the security log of the domain controllers but I am having trouble parcing the information in excel (since it does not show the output of the messages) and it keeps crashing my computer management (the logs are 91 mg from each of our DCs). What I am looking for is a way to parse the data in powershell (or perl*) and write the output to a file. Have any of you do anything like this?

I am going to look up perl later on today but I am basically looking for a powershell perspective.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

rwmidl

Maybe try the Event Comb feature in the Server 2003 feature pack?

List of features available in the Event Comb tool

I haven't used this tool so it may not do what you need it to, fyi.

Bl8ckr0uter

Interesting!

I also found this site so I might need to try to script it in posh first:
The PowerShell Guy : PowerShell examples used on ars technica

rwmidl

Here is the thread where I found the Filter Comb referenced:

Auditing User Logon/Logoff in Windows Server Active Directory

Bl8ckr0uter

rwmidl wrote: »

Here is the thread where I found the Filter Comb referenced:

Auditing User Logon/Logoff in Windows Server Active Directory

I actually had it installed on my machine already (since it is with the 2k3 resource kit). Pretty epic tool.

Everlife

Check out LogParser from Microsoft. I haven't used it in quite a long time, but you can run very detailed queries and export the results to a CSV. They may even have added direct export to Excel. There is a learning curve, but what you're asking for is fairly basic, so I'm sure you'll be able to find some examples online.