< Back
Get-RemoteLogonEvent
Post
NAME Get-RemoteLogonEvent
SYNOPSIS
This function queries the security log for EventIds 4624,4625,4634,4778,4779.
SYNTAX
Get-RemoteLogonEvent [[-ComputerName] <String[]>] [[-Credential] <PSCredential>] [[-StartTime] <DateTime>]
[[-EndTime] <DateTime>] [[-MaxEvents] <Int64>] [-Oldest] [-Raw] [<CommonParameters>]
DESCRIPTION
This function queries the security log for EventIds 4624,4625,4634,4778,4779.
PARAMETERS
-ComputerName <String[]>
Gets events from the event logs on the specified computer(s). Type the NetBIOS name, an Internet Protocol (IP)
address, or the fully qualified domain name of the computer. The default value is the local computer.
Required? false
Position? 0
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default value is the current user.
Type a user name, such as User01 or Domain01\\User01. Or, enter a PSCredential object, such as one generated by
the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. If you type only the
parameter name, you will be prompted for both a user name and a password.
Required? false
Position? 1
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-EndTime <DateTime>
Specifies the end of the time period for the event log query.
Required? false
Position? 3
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-MaxEvents <Int64>
Specifies the maximum number of events this function returns. Enter an integer. The default is to return all
the events in the logs.
Required? false
Position? 4
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Oldest [<SwitchParameter>]
Returns the events in oldest-first order. By default, events are returned in newest-first order.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-StartTime <DateTime>
Specifies the beginning of the time period for the event log query.
Required? false
Position? 2
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Raw [<SwitchParameter>]
Use this switch to provide the raw event log record for the function.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String[]
OUTPUTS
System.Object
NOTES
-------------------------- Example 1 --------------------------
PS C:\\> Get-RemoteLogonEvent -ComputerName WKSTN47 -MaxEvents 5
ComputerName : WKSTN47.contoso.com
TimeCreated : 5/11/2018 1:16:51 PM
Id : 4625
Level : Information
EventType : Logon Failure
UserName : WKSTN47\\GUEST
IpAddress :
LogonID :
Reason : Account currently disabled.
LogonMethod : Network
ComputerName : WKSTN47.contoso.com
TimeCreated : 5/11/2018 11:15:51 AM
Id : 4625
Level : Information
EventType : Logon Failure
UserName : CONTOSO\\CARROLLD
IpAddress : 127.0.0.1
LogonID :
Reason : Unknown user name or bad password.
LogonMethod : Interactive (local system)
RELATED LINKS
Online Version: https://powershell.anovelidea.org/modul ... Event.html
SYNOPSIS
This function queries the security log for EventIds 4624,4625,4634,4778,4779.
SYNTAX
Get-RemoteLogonEvent [[-ComputerName] <String[]>] [[-Credential] <PSCredential>] [[-StartTime] <DateTime>]
[[-EndTime] <DateTime>] [[-MaxEvents] <Int64>] [-Oldest] [-Raw] [<CommonParameters>]
DESCRIPTION
This function queries the security log for EventIds 4624,4625,4634,4778,4779.
PARAMETERS
-ComputerName <String[]>
Gets events from the event logs on the specified computer(s). Type the NetBIOS name, an Internet Protocol (IP)
address, or the fully qualified domain name of the computer. The default value is the local computer.
Required? false
Position? 0
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default value is the current user.
Type a user name, such as User01 or Domain01\\User01. Or, enter a PSCredential object, such as one generated by
the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. If you type only the
parameter name, you will be prompted for both a user name and a password.
Required? false
Position? 1
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-EndTime <DateTime>
Specifies the end of the time period for the event log query.
Required? false
Position? 3
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-MaxEvents <Int64>
Specifies the maximum number of events this function returns. Enter an integer. The default is to return all
the events in the logs.
Required? false
Position? 4
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Oldest [<SwitchParameter>]
Returns the events in oldest-first order. By default, events are returned in newest-first order.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-StartTime <DateTime>
Specifies the beginning of the time period for the event log query.
Required? false
Position? 2
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Raw [<SwitchParameter>]
Use this switch to provide the raw event log record for the function.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String[]
OUTPUTS
System.Object
NOTES
-------------------------- Example 1 --------------------------
PS C:\\> Get-RemoteLogonEvent -ComputerName WKSTN47 -MaxEvents 5
ComputerName : WKSTN47.contoso.com
TimeCreated : 5/11/2018 1:16:51 PM
Id : 4625
Level : Information
EventType : Logon Failure
UserName : WKSTN47\\GUEST
IpAddress :
LogonID :
Reason : Account currently disabled.
LogonMethod : Network
ComputerName : WKSTN47.contoso.com
TimeCreated : 5/11/2018 11:15:51 AM
Id : 4625
Level : Information
EventType : Logon Failure
UserName : CONTOSO\\CARROLLD
IpAddress : 127.0.0.1
LogonID :
Reason : Unknown user name or bad password.
LogonMethod : Interactive (local system)
RELATED LINKS
Online Version: https://powershell.anovelidea.org/modul ... Event.html