New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
544 views

Query for Windows Failed Logon

Hi,

I'm having problems trying to query the Windows Events Log...specifically for event ID 4625 for logon failure audit.  I only want to return events where the Logon Type is NOT equal to 11.  Below is the query:

SELECT 

        events.arc_peerName "Peer Logger",

        events.arc_deviceAddress "Device IP",

        LEFT(events.arc_deviceHostName,9) "Device Host Name",

        events.arc_destinationUserName "User Name",

        DATE_FORMAT(events.arc_endTime,"%Y-%m-%e %H:%i:%s") "Time",

        events.arc_deviceCustomNumber1 "Logon Type",

        sum(events.arc_baseEventCount) "Count"

FROM    events

WHERE   events.arc_deviceCustomString2 LIKE "Logon%" AND events.arc_categoryOutcome  = "/Failure" AND events.arc_deviceCustomNumber1 != 11

GROUP BY events.arc_peerName,

        events.arc_destinationUserId,

        events.arc_destinationUserName,

        events.arc_endTime,

        LEFT(events.arc_deviceHostName,9)

ORDER BY events.arc_peerName,

        sum(events.arc_baseEventCount) DESC

Labels (1)
0 Likes
2 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

What is not working?


Does the query you wrote get the events you need?


0 Likes
Highlighted
Cadet 1st Class Cadet 1st Class
Cadet 1st Class

Try this

events.arc_deviceCustomNumber1 != '11.0'

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.