This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

String filtering in Windows Events message

Go to solution
FloGem
Engaged Sweeper II

‎04-05-2017 03:49 PM

Hi all,

I would like to monitor a specific event in the Windows Security Eventlog: the remote connection.
As far as I know this connection generates a successfull login event, but the Logon Type is 10.
So il tne massage I can find Logon Type: 10. Ok, I can see it when I create a report, but the point is that I see it when I report all the events, but cannot filter only on this Logon Type: 10.
Of course, I tried Like '%Logon Type: 10%', but in this case I get no answer from the database.
By the other hand, if I test Like '%Logon Type%' it works..... It drives me nuts
Anyone has an idea about this??

Thanks in advance

Best regards
Labels:
1 ACCEPTED SOLUTION
Go to solution
Susan_A
Lansweeper Alumni

‎04-14-2017 11:14 AM

We received and answered this question via email. For everyone else's benefit, I'm pasting the reply we sent via email below.
Three solutions that work for us to find "Logon Type: 3" events:
  • The filter below returns more unwanted results, if "3" is mentioned elsewhere in the events, but is the simplest filter and compatible with SQL Compact and SQL Server databases.
    Where tblNtlogMessage.Message Like '%logon type:%3%'

  • The filter below uses SubString and CharIndex to isolate the "3" after "Logon type:" and is compatible with SQL Compact and SQL Server databases.
    Where SubString(tblNtlogMessage.Message, CharIndex('logon type:',
      tblNtlogMessage.Message) + 13, 1) = '3' And tblNtlogMessage.Message Like
      '%logon type:%'

  • The filter below specifically looks for tabs in the string, but is only compatible with SQL Server databases. SQL Compact doesn't recognize the Char(9) function that identifies tabs.
    Where tblNtlogMessage.Message Like '%' + 'logon type:' + Char(9) + Char(9) + '3' + '%'

You can see which database server you're using in the Configuration\Your Lansweeper License section of the web console. We'll post our answer on the forum as well. Just for future reference: we do not guarantee a response on the forum. If you require input from us, be sure to contact us via email.

View solution in original post

3 REPLIES 3
Go to solution
FloGem
Engaged Sweeper II

‎04-18-2017 11:31 AM

Hello

Many thanks, it works fine now !!


Best regards
0 Kudos
Go to solution
Susan_A
Lansweeper Alumni

‎04-14-2017 11:14 AM

We received and answered this question via email. For everyone else's benefit, I'm pasting the reply we sent via email below.
Three solutions that work for us to find "Logon Type: 3" events:
  • The filter below returns more unwanted results, if "3" is mentioned elsewhere in the events, but is the simplest filter and compatible with SQL Compact and SQL Server databases.
    Where tblNtlogMessage.Message Like '%logon type:%3%'

  • The filter below uses SubString and CharIndex to isolate the "3" after "Logon type:" and is compatible with SQL Compact and SQL Server databases.
    Where SubString(tblNtlogMessage.Message, CharIndex('logon type:',
      tblNtlogMessage.Message) + 13, 1) = '3' And tblNtlogMessage.Message Like
      '%logon type:%'

  • The filter below specifically looks for tabs in the string, but is only compatible with SQL Server databases. SQL Compact doesn't recognize the Char(9) function that identifies tabs.
    Where tblNtlogMessage.Message Like '%' + 'logon type:' + Char(9) + Char(9) + '3' + '%'

You can see which database server you're using in the Configuration\Your Lansweeper License section of the web console. We'll post our answer on the forum as well. Just for future reference: we do not guarantee a response on the forum. If you require input from us, be sure to contact us via email.
Go to solution
FloGem
Engaged Sweeper II

‎04-11-2017 08:29 AM

I again

After some investigations, I think I found the reason of the problem:

In Windows event log, the string I need is:

Logon Type:<tab><tab><tab>3 (where <tab> is... a tab)

The Hex conversion of thei string gives :

4C 6F 67 6F 6E 20 54-79 70 65 3A 09 09 09 33 |Logon Type:...3|

We can see the three tabs as 09 09 09

In the Lansweeper database we have the same string, with three tabs, so I made a copy of this string, and pasted it is the query

Where tblNtlogMessage.Message Like '%Logon Type:<tab><tab><tab>3%'

Ok, now it should work ! I save and run the query, and got no result...!
Back to the report, I can see the "Where" doesnt look like it was :

Where tblNtlogMessage.Message Like '%Logon Type: 3%'

And an Hex conversion confirms:

4C 6F 67 6F 6E 20 54 79-70 65 3A 20 20 20 33 |Logon Type: 3|

The original <tab><tab><tab> has been changed to <spc><spc><spc> (space)!!!

So it seems that the Query builder of Lansweeper cannot understand <tab>, and replaces it by a <spc> (space)

By the other hand, if I use the same filter, with tabs, in the result window of the reports, it works !

At last, if I use a wildcard (%) in my query, (Where tblNtlogMessage.Message Like '%Logon Type:%3%') it doesn't work either...

Ok, as I said, I think I got the reason, but not the solution

Any clue ?

Thanks all

Best regards

Flo
0 Kudos

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now