How to edit my search on Windows security event lo...

aanic · ‎01-10-2017

Hy,

I'm trying to find which user was last logged in on a PC, but my search doesn't show any results.

Can you pls help?

Thanx!

`windows_idx` sourcetype="wineventlog:security" (Account_Name="*NameofPC*") AND (EventCode=4768 OR EventCode=672)

zshainsky · ‎01-10-2017

This can be a great resource for answering search questions with a specific sourcetype like WinEventLog:Security:
http://gosplunk.com/

DalJeanis · ‎01-10-2017

If you know the last time that YOU logged in onto your pc, then you can use your own information to find the right format for the records. Let's say that you logged on about half an hour ago. Let's find your record.

earliest=-45m@m latest=-15m@m  `windows_idx` sourcetype="wineventlog:security"  "*NameofPC*" | head 10

That will find up to 10 records, between 45 and 15 minutes ago, that contain the name of your pc. if that shows no results, then you know your windows_idx macro or your sourcetype or the name of the fields or your NameofPC is wrong. Experiment until you get them right. The results will also show you the correct name and values for EventCode. On my system it is EventID.

Use what you learn to modify your search until it works to bring back YOUR logon records.

After that, you can expand the timeframe to bring in more records for the last day or week or whatever.

Good luck with your hunt!

DalJeanis · ‎01-10-2017

By the way, the most common issue is the spelling of the field names, specifically the case of the letters. Check that up front.

How to edit my search on Windows security event logs to find which user was last logged in on a PC?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!