We have a requirement to periodically create a report of all Terminal Services logons on a couple of our managed servers. We have been using the script below to accomplish this with no problem.
We are starting to implement Microsoft Server 2008 servers and now our script does not work. The logonEventID has changed from 528 to4624... easy enough. The Logon Type is still10.
We run the script "As Administrator" getting past the UAC warning. The problem is that we can no longer get the contents of the "Message" field. Before I was able to search for "Logon Type:10" to filter out all the other logonevents that I don't need.
The field now returns the following value:
The description for EventID4624 in Source"Microsoft-Windows-Securit
Is there something I can do to allow Log Parser access to that field?! It shows up fine inEvent Viewer.
For testing, you can add Message as a field or even * to see all fields available.
TSLogons.BAT: (run as Administrator... meaning UAC not the account name Adminstrator)
@ECHO Display report of Terminal Server logons. Please wait while processing...
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" file:C:\TSLogons.sql>C:\TSLogons.txt -q:ON
start C:\TSLogons.txt
TSLogons.SQL:
SELECT TimeGenerated AS LogonTime,
STRCAT( EXTRACT_TOKEN( Strings,
1,
'|'),
STRCAT( '\\',
EXTRACT_TOKEN( Strings,
0,
'|'
)
)
) AS User,
EventID
FROM Security
WHERE (EventID = 528 OR EventID = 4624)
AND Message LIKE '%Logon Type: 10%'
ORDER BY LogonTime DESC
The above .SQL file works fine on Server 2003. But on Server 2008, if you add the column named Message to the results, you see that Log Parser cannot retrieve the contents, and therefore cannot get the "Message LIKE ..." filter.