browse
Loginsearch.ps1 – What is it?
Loginsearch.ps1 is a small PowerShell script that collects information useful to Umbrella Support for troubleshooting purposes.
It is helpful should you be troubleshooting why certain users are not showing the correct activity in the reports or activity searching on the Umbrella dashboard.
It should be run on any standard Domain Controller as login events should be replicated between DC's.
However, IF when searching you see no events and are expecting to see them from a particular host, there may be an issue replicating event logs between servers. In this instance find out the %LOGONSERVER% used by that host, and then run the script on the Domain Controller specifically indicated. If you STILL see no events, make sure that logon events are being audited, by checking the 'Audit Policy' settings as per our Required Permissions article.
The script is attached to the bottom of this article. The information gathered can be used for troubleshooting either by yourself or by Umbrella Support.
How do I run the script?
Easy!
- Download the text file attached and rename the extension from '.txt' to '.ps1'.
- From a Windows server, open a new PowerShell window that was started by 'Right-Click >Run as Administrator'.
Note:
Be careful of double extensions, and don't accidentally name it .txt.ps1. Navigate to the location you saved the script to (for example, 'cd C:\Users\admin\Downloads') and execute the script by typing ' .\loginsearch.ps1 '
- The script will prompt you for the username you want to search the Windows security event logs for and then for a specific IP address if you prefer to search by IP. You'll just need to follow the on-screen prompts.
- Either one or the other (Username or IP) searches can be used individually, or both can be used at the same time, should you want to limit search results to a specific User AND IP address at the same time.
The script is quick to run. When it has finished you should see the output both on the screen, which contains time stamps. Additionally complete export of each event log entry represented on the screen located in 'C:\%hostname%.txt'. This can be useful should you want to dig further into a specific event.