Forum Discussion
Query for computer start events
Hi everyone,
I'm trying to assist a customer with a query in Log Analytics to see whenever computers were turned on, by computer and by day.
I think I am on the right track in the Security Event table, going off of the Saved Search that Log Analytics offered for Logon Activity by Computer.
search in (SecurityEvent) EventID == 4624
| summarize LogonCount = count() by Computer
| limit 500000
I found a list of the event numbers (here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/) and I believe 4608 "Windows is starting up" should work, but I can't seem to find where the options are to replace "LogonCount" with something that would indicate Windows starting instead. I'd also like to know how to sort that by computer and by day.
Appreciate any help you can offer, thanks!
- Hi Here we go search in (SecurityEvent) EventID == 4624 | summarize WindowsStartCount = count() by Computer, bin(TimeGenerated, 1d)
7 Replies
- Hi Here we go search in (SecurityEvent) EventID == 4624 | summarize WindowsStartCount = count() by Computer, bin(TimeGenerated, 1d)
Thank you so much, Stanislav!
Is it also possible to query for the total amount of time each computer is used each day (ideally excluding idle time)? Is that somewhere in the Perf table?
- Hi Your definition of idle is too vague. You will have to provide some explanation what you mean by idle time. There are thousand of performance counters on Windows Server and what Log Analytics gathers depends on what you've configured as data sources.
