cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
FloGem
Engaged Sweeper II
Hi all,

I would like to monitor a specific event in the Windows Security Eventlog: the remote connection.
As far as I know this connection generates a successfull login event, but the Logon Type is 10.
So il tne massage I can find Logon Type: 10. Ok, I can see it when I create a report, but the point is that I see it when I report all the events, but cannot filter only on this Logon Type: 10.
Of course, I tried Like '%Logon Type: 10%', but in this case I get no answer from the database.
By the other hand, if I test Like '%Logon Type%' it works..... It drives me nuts
Anyone has an idea about this??

Thanks in advance

Best regards
1 ACCEPTED SOLUTION
Susan_A
Lansweeper Alumni
We received and answered this question via email. For everyone else's benefit, I'm pasting the reply we sent via email below.
Three solutions that work for us to find "Logon Type: 3" events:
  • The filter below returns more unwanted results, if "3" is mentioned elsewhere in the events, but is the simplest filter and compatible with SQL Compact and SQL Server databases.
    Where tblNtlogMessage.Message Like '%logon type:%3%'

  • The filter below uses SubString and CharIndex to isolate the "3" after "Logon type:" and is compatible with SQL Compact and SQL Server databases.
    Where SubString(tblNtlogMessage.Message, CharIndex('logon type:',
    tblNtlogMessage.Message) + 13, 1) = '3' And tblNtlogMessage.Message Like
    '%logon type:%'

  • The filter below specifically looks for tabs in the string, but is only compatible with SQL Server databases. SQL Compact doesn't recognize the Char(9) function that identifies tabs.
    Where tblNtlogMessage.Message Like '%' + 'logon type:' + Char(9) + Char(9) + '3' + '%'

You can see which database server you're using in the Configuration\Your Lansweeper License section of the web console. We'll post our answer on the forum as well. Just for future reference: we do not guarantee a response on the forum. If you require input from us, be sure to contact us via email.

View solution in original post

3 REPLIES 3
FloGem
Engaged Sweeper II
Hello

Many thanks, it works fine now !!


Best regards
Susan_A
Lansweeper Alumni
We received and answered this question via email. For everyone else's benefit, I'm pasting the reply we sent via email below.
Three solutions that work for us to find "Logon Type: 3" events:
  • The filter below returns more unwanted results, if "3" is mentioned elsewhere in the events, but is the simplest filter and compatible with SQL Compact and SQL Server databases.
    Where tblNtlogMessage.Message Like '%logon type:%3%'

  • The filter below uses SubString and CharIndex to isolate the "3" after "Logon type:" and is compatible with SQL Compact and SQL Server databases.
    Where SubString(tblNtlogMessage.Message, CharIndex('logon type:',
    tblNtlogMessage.Message) + 13, 1) = '3' And tblNtlogMessage.Message Like
    '%logon type:%'

  • The filter below specifically looks for tabs in the string, but is only compatible with SQL Server databases. SQL Compact doesn't recognize the Char(9) function that identifies tabs.
    Where tblNtlogMessage.Message Like '%' + 'logon type:' + Char(9) + Char(9) + '3' + '%'

You can see which database server you're using in the Configuration\Your Lansweeper License section of the web console. We'll post our answer on the forum as well. Just for future reference: we do not guarantee a response on the forum. If you require input from us, be sure to contact us via email.
FloGem
Engaged Sweeper II
I again

After some investigations, I think I found the reason of the problem:

In Windows event log, the string I need is:

Logon Type:<tab><tab><tab>3 (where <tab> is... a tab)

The Hex conversion of thei string gives :

4C 6F 67 6F 6E 20 54-79 70 65 3A 09 09 09 33 |Logon Type:...3|

We can see the three tabs as 09 09 09

In the Lansweeper database we have the same string, with three tabs, so I made a copy of this string, and pasted it is the query

Where tblNtlogMessage.Message Like '%Logon Type:<tab><tab><tab>3%'

Ok, now it should work ! I save and run the query, and got no result...!
Back to the report, I can see the "Where" doesnt look like it was :

Where tblNtlogMessage.Message Like '%Logon Type: 3%'

And an Hex conversion confirms:

4C 6F 67 6F 6E 20 54 79-70 65 3A 20 20 20 33 |Logon Type: 3|

The original <tab><tab><tab> has been changed to <spc><spc><spc> (space)!!!

So it seems that the Query builder of Lansweeper cannot understand <tab>, and replaces it by a <spc> (space)

By the other hand, if I use the same filter, with tabs, in the result window of the reports, it works !

At last, if I use a wildcard (%) in my query, (Where tblNtlogMessage.Message Like '%Logon Type:%3%') it doesn't work either...

Ok, as I said, I think I got the reason, but not the solution

Any clue ?

Thanks all

Best regards

Flo