cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

PS Script to monitor service account login in the server

Hi. I want to monitor a service account is logged in to the particular server or not in Solarwinds using PS script. As I'm new to the Solarwinds, can anyone help me to guide on how can I achieve it with PS script? Thank you.

7 Replies
Community Manager
Community Manager

Yeah - we're going to need a little more syntax around this.  What are you actually trying to solve with the script.  If you just want that an account logged in you can do something like:

Get-WinEvent -LogName Security |Where-Object { $_.Id -eq 4624 -and $_.TimeCreated -ge ( Get-Date ).AddHours(-1) }

But that doesn't really _solve_ anything.

"Shoot for the stars to reach the moon"
0 Kudos

KMSigma​ - I want to generate an alert if svc account got logged off or didn't auto login after server restart

0 Kudos

OK, that description is much more helpful! I don't have time right now to write a solution for you, but can provide some pointers:

The snippet that KMSigma​ provided is exactly the place to start. (Get a script working locally on your server, and then we can help make it work remotely from Orion.)

There are probably two other pieces of information that you'll need to look at in order to fulfill the needs of your script.

  1. Logon type. As this article and others describe, Windows tracks a number of different logon types for every logon event. You'll want to check your security events for logon type 5 (service logon). "This is used for services and service accounts that log on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration."
  2. Find out when the server was last rebooted so you can look for the service account logon event in time proximity with the startup event[s].

Finding all service logons in the Security Event logs would look like the code below. (KMSigma​, can you think of a better way?) The -match operator tells PowerShell to use regex to find a string match and the [\s] is any whitespace characters. Thus, the query looks for logon events that occurred in the past hour and contain the string "Logon Type: 5".

Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624 -and $_.TimeCreated -ge (Get-Date).AddHours(-1) -and $_.Message -match 'LogonType:+[\s]+5'}

If you're looking for a specific service account (e.g. one named "domain\service1") the following might work:

Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624 -and $_.TimeCreated -ge (Get-Date).AddHours(-1) -and $_.Message -match 'service1'}

Hope this helps you get started!

So first question, and I'm not trying to be a jerk

Do you already have a PowerShell script that can check the security event logs for the service account logins that you're interested in? Are you familiar with how to pull event logs using PowerShell?

0 Kudos

sturdyerde​ - I don't have script too and not much familiar on pulling event logs from powershell.

0 Kudos

Just trying to figure out how/where we can help you with this question.

0 Kudos

sturdyerde​ - I have created below PS script which is working in PS but not in SolarWinds SAM template:

$usrname="USERNAME"

$Computer="SERVERNAME";

$quserOut= quser.exe $usrname /Server:RTPWLOWPBAT07 2>&1;

if($quserOut -notmatch "No User Exist"){

Write-Host "Message: User is currently logged on";

Write-Host "Statistic: 1";

}else{

Write-Host "Message: User does not currently logged on";

Write-Host "Statistic: 0";

}

Can you please help what I'm missing here?

0 Kudos