Forum Discussion
Dillon Brown
Microsoft
MicrosoftQuery for computer start events
Hi everyone,
I'm trying to assist a customer with a query in Log Analytics to see whenever computers were turned on, by computer and by day.
I think I am on the right track in the Security Event ...
- Hi Here we go search in (SecurityEvent) EventID == 4624 | summarize WindowsStartCount = count() by Computer, bin(TimeGenerated, 1d)
I do not think any of those two have some kind of performance counters. For example interactive logons can be tracked only as events. If interactive login happens event is logged one time in the security log. I am not aware of there are other events which you can distinguish if machine was powered on from sleep or shutdown.
About performance counters I do not know where the documentation is. There are some basic performance counters that are on every system and additional ones are installed depending on the role of the system. As far as I know you will not find user performance counters as all counters are related to the server itself rather users. I usually look at the performance counters from perfmon and than try to find if there is more information on specific counter on Internet.
Dillon BrownMicrosoft
MicrosoftOk, got it. Thank you so much for your time! I have run across your blog posts researching other cases as well, very much appreciate your contributions!
- Thanks!
