Shulou(Shulou.com)06/03 Report--

1. Simple needs?

Requirements: windows server2008R2 environment, you need to count the number of user logins in the past 7 days.

It seems very simple. I just know the event ID of the server2008 login event. To start counting, 4624 is the login event ID:

The statistical results are as follows:

You don't seem to have logged in so many times?

By looking at the login log, it is found that at the real login time, it is this log. The other difference is that the process name of this log record is winlogon.exe. In order to achieve more accurate filtering, you need to start here.

two。 Further screening

Click "details" in "event Properties" and you can see a message, which will be used later:

In filter current Log, select "XML"

Check "manually Edit query" and confirm:

Add the following settings to manual editing

* [EventData [Data [@ Name='ProcessName'] and (Data='c:\ windows\ system32\ winlogon.exe')] and

As shown in the figure (the PrcessName and winlogon.exe are seen earlier in "details" in "event Properties"):

After clicking OK, the filtered result is the accurate login result.

3. Login filtering for windows server 2012

There may be some minor changes in windows server2012, but it doesn't matter, just follow the previous solution. The following can be used for reference:

* [EventData [Data [@ Name='ProcessName'] and (Data='c:\ windows\ system32\ winlogon.exe')] and

* [EventData [Data [@ Name='LogonType'] and (Data='10')]] and

Supplement

XML can also filter other desired information. If you are interested, you can try it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.