Technical Tip: How to filter out a FSSO Username in the Windows Event Viewer and PowerShell CLI

mahmad · ‎05-04-2023

Description This article describes how to filter out a logon event for the Username that is missing somehow on FSSO CollectorAgent or on FortiGate. This filter will help to compare user Logon events on Windows domain controller to get user Logon details. That information will further help to compare on the FSSO CA or FortiGate side.

Scope Windows Server 2012-2022 and PowerShell CLI.

Solution

1) Using Windows Event Viewer:

Open Event Viewer by searching in the Search bar of Windows server.

The following XML Query will help to filter out the username in the Windows event viewer.

<QueryList> 
<Query Id="0" Path="Security"><Select Path="Security">* [EventData[Data[@Name='TargetUserName']='user1']]</Select></Query> 
</QueryList>

In the Query, replace 'user1' with the affected username.

Let's Create a Custom XML Query for user1:

Refresh the filter to get the latest Logon Events:

2) Using PowerShell CLI:

The following PowerShell command list down the Logon Event IDs (4624,4634) for a particular Username 'samaccountname' and lists only the last 10 Logon Events. Logon IDs and Max Entries can be adjusted according to the need.

$user = 'samaccountname'
$sid = (Get-ADUser $user).SID.Value
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4624,4634;Data=$sid} -Max 10 | select TimeCreated,Date,ID,TaskDisplayName,Message | Format-Table -AutoSize

Example:

$user = 'user1'
$sid = (Get-ADUser $user).SID.Value
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4624,4634;Data=$sid} -Max 10 | select TimeCreated,Date,ID,TaskDisplayName,Message | Format-Table -AutoSize

It is possible to use these Logon Events details like TimeCreated for the Logon Event ID for the affected Username and compare it in the FSSO collector agent under 'show Logon Users' to check if the CA got the information or not.