How to access security event logs

IT administrators need to retrieve security events by type, filter it down by properties, and report findings. This enables them to stay on top of malicious activities, and ensure that Active Directory is running as expected.

This article compares how IT administrators can get the list of security event logs using PowerShell and ADAudit Plus.

Windows PowerShell

Steps to obtain the list of security event logs.

Identify the domain from which you want to retrieve the report.
Identify the LDAP attributes you need to fetch the report.
Identify the primary DC to retrieve the report.
Compile the script.
Execute it in Windows PowerShell.

Sample Windows PowerShell script

get-eventlog security

This will give the list of all the security logs

get-eventlog security -newest 50

This will give the list of the 50 most recent security event logs.

get-eventlog security -newest 100 |
  where \{$_.entrytype -eq `
    "FailureAudit"\}

This gives the 100 most recent security event logs pertaining to event failures.

Sample output:

ADAudit Plus

To obtain the report,

Login to ADAudit Plus web console as an administrator.
Navigate to the Reports tab to view more than 20 different report categories on the left pane.
Under each of these categories, you will find a multitude of reports arranged in a logical fashion.
To view a particular report, just navigate to the report or use "/" to search for reports using keywords.
For example, to view a report on logon failures, navigate to Reports -> User Logon Reports -> Logon Failures
You may use the Export As option to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

Following are the limitations to obtain a report of last logon on workstations using native tools like Windows PowerShell:

The script can be executed only from the computers which has Active Directory Domain Services role.
It's difficult to change date formats, and apply different time zones on the date results.
In case you need to report the findings in a different file format, you'll have to write a different script.
Applying more filters like OU or 'User name starts with' will increase the LDAP query complexity.
It doesn't report the findings in an intuitive or interactive format. It only lists the information that is asked, and there is no option to navigate into finer details.

ADAudit Plus will generate the reports of your choice when you need them. You can run these reports by navigating to the right area within the solution. With a few clicks, you can see all the security log-related information you need along with intuitive graphs and charts.

Avoid complex PowerShell-scripting, and simplify AD change auditing with ADAudit Plus.
By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.
Thanks!
Your download is in progress and it will be completed in just a few seconds! If you face any issues, download manually here.

Active Directory auditing

Windows file auditing

NAS device file auditing

Windows server auditing

Workstation auditing

Entra ID auditing

All features →

Help documents

Video zone

Webinars

Product brochures

Case studies

E-books

Awards zone

Study

How tos

Best practices

How to access security event logs

Windows PowerShell

Steps to obtain the list of security event logs.

Sample Windows PowerShell script

Sample output:

ADAudit Plus

To obtain the report,

Related Resources

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

A single pane of glass for complete Active Directory Auditing and Reporting