locked
tracking down fail logon attempts RRS feed

  • Question

  • Hi all,

    We've got a series of accounts that have a ton of failed logon events, they are having as many as 6 per minute.  I've figure that out by running the powershell script:

    Get-EventLog -LogName Security | ?{$_.message -like "*username*"} 

    However is there a script to run that will tell me where these failed attempts are coming from?

    Monday, February 19, 2018 6:23 PM

Answers

All replies

  • Use Get-WinEvent to get the message by ID.  Read the complete message.  It will tell you the originating system.

    Here is another method that produces  an HTML report: https://gallery.technet.microsoft.com/scriptcenter/Failed-Logins-Report-ccf071a9


    \_(ツ)_/

    • Marked as answer by w_washington Tuesday, February 20, 2018 8:19 PM
    Monday, February 19, 2018 6:28 PM
  • Below link also will be helpful for you.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/b2be4f10-8581-43b1-859e-f4c196adc88e/getwinevent-is-not-showing-computer-name?forum=winserverpowershell


    Regards kvprasoon

    This is really not a good link for this question.  It contains some good information and a bunch of incorrect although workable answers.  Learning how the subsystems actually work and how to correctly use the commands is critical here.  Sending a user in the wrong direction is not helpful to someone who has absolutely no technical knowledge of PowerShell or the event log.

    Every Admin and tech should read the documentation on MSDN that explains how the event log works. It will make the event log a powerful source of answer. Correct use of Get-WinEvent can get answers quickly and with extreme power and razor accurate targeting of clues and statistics.

    I see this constantly:

    Get-WinEvent Security | Where {$_ID -eq 10}

    That will always read the complete log file.  No matter how you build the filter you will aways return all records before filtering them.

    This:

    Get-WinEvent -FilterHashTable @{Logname='Security';ID=4625,4626}

    The above will use the indexes to return only those records.  It can be more than 100 time faster.  With FilterXML we can even filter the properties of the data portion of the event.

    All of this becomes obvious for those who have actually taken a for mal course in PowerShell and has taken the time to learn the subsystems of Windows.  There are also many excellent training books on PowerShell.  Good scripters have usually studied three or more of these books.


    \_(ツ)_/

    Monday, February 19, 2018 7:09 PM
  •  I used the below script to get the output I needed.  Thanks
    Get-WinEvent -FilterHashtable @{logname='security';id=4771;data='username'} | fl

    Tuesday, February 20, 2018 8:20 PM