1. a simple need?
Requirements:Windows SERVER2008R2 Environment, need to count the number of user logins for nearly 7 days.
It seems simple, I know the event ID of the SERVER2008 logon event No, just start counting,4624 is the login event ID:
650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M00/9D/FB/wKioL1mJffPCEQAKAABj3Wfdmug974.jpg-wh_500x0-wm_ 3-wmp_4-s_2590690013.jpg "title=" image001.jpg "alt=" Wkiol1mjffpceqakaabj3wfdmug974.jpg-wh_50 "/>
The statistical results are as follows:
650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M01/9D/FB/wKiom1mJff3gdcYhAABIHNSLSWQ337.jpg-wh_500x0-wm_ 3-wmp_4-s_3066764099.jpg "title=" image002.jpg "alt=" Wkiom1mjff3gdcyhaabihnslswq337.jpg-wh_50 "/>
Doesn't seem to have logged in so many times?
by looking at the log in log, found in the real login time, is this log, go to other different is, this log record process name is Winlogon.exe to achieve more accurate filtering, need to start from here
650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/9D/FB/wKioL1mJfgTRBQCLAAA8wmTxFqo049.jpg-wh_500x0-wm_ 3-wmp_4-s_1918614137.jpg "title=" image003.jpg "alt=" Wkiol1mjfgtrbqclaaa8wmtxfqo049.jpg-wh_50 "/>
2. further screening
Click "Details" in "event properties" to see a message, followed by:
650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M02/9D/FB/wKioL1mJfhCwlYhcAAAQburBby0914.jpg-wh_500x0-wm_ 3-wmp_4-s_2099575490.jpg "title=" image004.jpg "alt=" Wkiol1mjfhcwlyhcaaaqburbby0914.jpg-wh_50 "/>
in filter current log, select XML"
650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M00/9D/FB/wKioL1mJfhrignR_AABlmC5nCH0878.jpg-wh_500x0-wm_ 3-wmp_4-s_3252773210.jpg "title=" image005.jpg "alt=" Wkiol1mjfhrignr_aablmc5nch0878.jpg-wh_50 "/>
Tick "Edit query Manually" and confirm that:
650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M00/9D/FB/wKiom1mJfiWQH94uAAB-eEv-Iys525.jpg-wh_500x0-wm_ 3-wmp_4-s_3453463506.jpg "title=" image006.jpg "alt=" Wkiom1mjfiwqh94uaab-eev-iys525.jpg-wh_50 "/>
Add the following settings in manual editing
*[eventdata[data[@Name = ' ProcessName '] and (data= ' C:\windows\system32\winlogon.exe ')] and
( the prcessname and Winlogon.exe inside are what you see in "Details" in "Event Properties ") :
650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/9D/FB/wKiom1mJfi3hU9S1AABxFh6PEp0867.jpg-wh_500x0-wm_ 3-wmp_4-s_678700348.jpg "title=" image007.jpg "alt=" Wkiom1mjfi3hu9s1aabxfh6pep0867.jpg-wh_50 "/>
When you click OK, the filtered results are the exact results of the login.
3. Windows Server 2012The logon filter
in Windows server2012 , there may be some minor changes, but it's okay to follow the previous solution. The following can be done for reference:
*[eventdata[data[@Name = ' ProcessName '] and (data= ' C:\windows\system32\winlogon.exe ')] and
*[eventdata[data[@Name = ' LogonType '] and (Data= ')] and
Supplement
The XML can also be used to filter the other information you want, and it is interesting to try.
This article is from the "record and learn to improve and share" blog, please be sure to keep this source http://huandidi.blog.51cto.com/23337/1954555
Precise filtering of Windows user logon events