What would be the best way to see successful logon...
# windowsm
Matt Johnson
04/15/2020, 7:06 PMWhat would be the best way to see successful logons from the previous night. Doing a event view query pulls the event viewer logs in order so the ones I currently pull up even with a limit of 500 are for a few days ago.
s
sundsta
04/15/2020, 8:01 PMAll evented tables have an event time, and you can use a
WHEREm
Matt Johnson
04/15/2020, 8:40 PMThanks, I had been trying that. The query I set with a between clause looked like this.
Matt Johnson
04/15/2020, 8:40 PMSELECT * FROM windows_events WHERE source IN ('Security') AND eventid IN (4625) LIMIT 500 and datetime between '2020-04-14T230000.000000000Z' and '2020-04-14T235900.000000000Z'
s
sundsta
04/15/2020, 10:08 PMIs that the format of the datetime column? I’m just used to *nix where it’s in unix epoch. In any case, you probably have to convert those timestamps to a format sqlite works with before performing comparisons like that
sundsta
04/15/2020, 10:09 PMm
Matt Johnson
04/16/2020, 1:15 AMThank you will take a loook