Powershell for Parsing Logon and Logoff events from Windows Security Logs

$outputfile = @()
$ID = 4624,4634
Get-ChildItem -include *Security*.evtx, Archive*.evt, Archive*.evtx -Path C:\Windows\System32\winevt\Logs -recurse |
ForEach-Object {
"Parsing $($_.fullname)`r`n" >> .\Logging.txt
Try
{
Get-WinEvent -FilterHashtable @{path=$_.fullname;logname='Security';ID=$ID; data='S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX'; ProviderName='Microsoft-Windows-Security-Auditing';} -EA Stop >> .\Logging.txt
}
Catch [System.Exception]
{
"No logon events in current log" >> .\Logging.txt
}
}

The code above will run through Windows Log directory (C:\Windows\System32\WinEvt\Logs\) and search Security logs for any Logon and Logoff Event IDs. This can easily be modified to search other evtx logs for any ID, just edit as necessary.

Leave a Reply

Your email address will not be published. Required fields are marked *