NTLast 3.0 is a security audit tool for Windows NT. It's a Win32 command line utility with several switches that search the 
event log for Interactive/Remote/Failed logon stats. In it's simplist form, it reports the last ten successful logons at your 
computer.

It does two major things that event viewer does not. It can distinguish remote/interactive logons and it matches logon times 
with logoff times.

Some examples:

Command Line Switches
        -s      Last Successful Logons
        -f      Last Failed Logons
        -i      Last Interactive Logons
        -r      Last Remote Logons
        -u [u]  Logons by User - (u) = case sensitive username
        -m [m]  Name of machine to search - (m) = machine name
        -n [n]  Number of Last Logons - (n) = number of records records
        -from [\m]      Last logons from - (\m) = upper-case UNC server name
        -c      Condensed Output - Default
        -v      Verbose Output - shows logon/logoff/duration
        -not [u]        Filter out User - Case sensitive
        -null   Include null sessions - Ignored by default
        -mil    Military Time Output - Default matches event log time
        -file   File name - Saved .evt sec log to open
        -csv    Print output as CSV
        -rt     Raw date/times in CSV output
        -l      Last Successful Logon
        -l:i    Last Interactive Logon
        -l:r    Last Remote Logon
        -iis    IIS 4.0 logons only
        -ad     Include entries after this date/time - Specify military time
        -bd     Include entries before this date/time - Specify military time
                  (Switches -ad and -bd can be combined to get between date/time(s))
        - or /  Either switch statement can be used
        -?      Help

*Note - Switch arguments are case sensitive - 'UserX' and 'userx' are different
                                              'HOSTX' and '\HOSTX' are different
*Note - To view IIS 4.0 logons, use IIS switch - off by default
*Note - Blank spaces for user name map to NT Anonymous logons
*Note - File switch usage #1-> ntlast -m \\HOSTX -file c:\log\sec.evt
*Note - File switch usage #2-> ntlast -file \\HOSTX\log\sec.evt
*Note - Time searches use 24hr time - Sept, 20th 7am is 20/9/1999-7:0:0
                                      Sept, 20th 7pm is 20/9/1999-19:0:0
*Note - Using the /u switch last with no username generates list of NULL logons
*Note - For best usage - Set you console buffer to 1,000 lines or more
*Note - Redirect your output to a file - 'ntlast -v > report.txt'
*Note - Append your output like this  - 'ntlast -v >> report.txt'


	*** To obtain the IIS user logon info ***
ntlast /iis Includes IIS user account info - Filtered out by default
	*** To obtain verbose view details ***
ntlast -v Gets all the details and matches logon times to logoff times
	*** Two ways to open backup logs ***
ntlast -m \\server -file c:\log\sec.evt Gets the backup log on Server
ntlast -file \\server\log\sec.evt       Gets the backup log on Server

And most useful, I think, is ntlast /m machinename /f /r -----Gets last 10 failed remote attempts against machinename


PUTTING NTLAST IN YOUR SYSTEM PATH IS A VERY USEFUL THING TO DO.

SETTING YOUR COMMAND LINE BUFFER TO 500 LINES OR MORE IS GOOD.

