Search for Logon Events with Loginsearch.ps1

Available Languages

Download Options

  • PDF     (6.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (79.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (63.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 13, 2025
Document ID:225205

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to search for logon events with Loginsearch.ps1, a PowerShell script.

    Background Information

    Loginsearch.ps1 is a small PowerShell script that collects information useful to Umbrella Support for troubleshooting purposes. It is helpful when troubleshooting why certain users are not showing the correct activity in the reports or activity searching on the OpenDNS Umbrella Dashboard, however can also be used to troubleshoot other types of issues.

    Run this on any standard Domain Controller as login events are replicated between DCs. However, IF when searching you see no events and are expecting to see them from a particular host, there can be an issue replicating event logs between servers. In this instance find out the %LOGONSERVER% used by that host, and then run the script on the Domain Controller specifically indicated. If you STILL see no events, make sure that logon events are being audited.

    The script is attached to the bottom of this article. The information gathered can be used for troubleshooting either by yourself or by OpenDNS Support.

    Run the Script

    Complete these steps:

    1. Download the text file attached and rename the extension from '.txt' to '.ps1'.
      note-icon

      Note: Be careful of double extensions, and do not accidentally name it ".txt.ps1".

    2. Then from a Windows server, open a new PowerShell window that was started by 'Right-Click -->Run as Administrator'. Navigate to the location you saved the script to (eg: 'cd C:\Users\admin\Downloads') and execute the script by typing .\loginsearch.ps1.
    3. The script first prompts the username you want to search the Windows security event logs for, and then for a specific IP address if you prefer to search by IP. Use the on-screen prompts. Either one or the other (Username or IP) searches can be used individually, or both can be used at the same time, if you want to limit search results to a specific User AND IP address at the same time.
    4. The script is quick to run. When it has finished you see the output both on the screen, which contains time stamps. Additionally complete export of each event log entry represented on the screen located in 'C:\%hostname%.txt' This can be useful if you want to dig further into a specific event.

    Revision History

    Revision Publish Date Comments
    1.0
    13-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products