While working with Windows event Viewer, its better to make use of the command
Get-Winevent
This is more powerful than the “Get-eventlog” command which has a limited scope.
Two major points of differences (courtesy: Managing event logs in PowerShell
- Get-WinEvent gives you much wider and deeper reach into the event logs. It can access log providers directly as well as tap into Windows event tracing logs. That said, it’s easier to delve into the content of classic event log entries with Get-EventLog.
- For remoting, Get-WinEvent uses the built-in Windows event log remoting technology instead of PowerShell remoting. Thus, you’ll find that remote log queries run faster with Get-WinEvent than with Get-EventLog.
A comparison between the two can also be found in Processing Event Logs in PowerShell
$starttime = (Get-Date).AddDays(-27) $endtime = (Get-Date).AddDays(-1) Get-WinEvent –FilterHashtable @{logname=’security’;StartTime=$starttime;endtime=$endtime} -MaxEvents 10|select *
Piping the get-winevent to select *, will reveal all the search paramters that we can make use of. Also we can limit the search by including a switch -maxevents, which will show the latest N number of the events. The concept of hashtable with reference to get-winevt is explained well in Advanced Event Log Filtering Using PowerShell
Message : The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: usr
Source Workstation: SERVER01
Error Code: 0xC0000064
Id : 4776
Version : 0
Qualifiers :
Level : 0
Task : 14336
Opcode : 0
Keywords : -9218868437227405312345452
RecordId : 27939335804
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 548XX25-5X78-4XX4-X5ba-3e3b0XXd
LogName : Security
ProcessId : 612
ThreadId : 156552
MachineName : SERVER01.DOMAIN.CORP
UserId :
TimeCreated : 10.09.2017 14:09:45
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Credential Validation
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty}
We should note here that while searching with get-winevent command, we must mandatorily provide either of below three search parameters along with any combination of the rest of the parameters.
LogName -> This can be seen from “General” Tab of Preview Pane of the Windows event viewer console.
ProviderName -> This can be seen from “Details” Tab of Preview Pane of the Windows event viewer console.
Path
Searching through old archived evtx files
Making use of Path parameter
If we have archived the old event viewer log files on a network path or local hard drive, which are of the format .evtx, then in order to scan through the log files for a particular event ID, we wil find ourselves then in a difficult situation with very less tools at our disposal. In this situation the third parameter “Path” will help us.
$starttime = get-date (Get-Date).AddDays(-27) $endtime = get-date (Get-Date).AddDays(-22) $ls=gci "C:\LOGS\*"| Where{$_.LastWriteTime -gt $starttime -and $_.LastWriteTime -lt $endtime} foreach ($l in $ls){ if ($p.name -notmatch "Temp"){ $a=Get-WinEvent -FilterHashtable @{Path="$p";id="4738"} -ErrorAction SilentlyContinue | select message, id, level ,providername, logname, processid, threadid, machinename, userid, timecreated, containerlog| where {$_.message -like '*user1*'} $a $a|out-file "C:\log.txt" -Append }}
Parsing through a string in message field of an event log
In above example we have parsed throught the test in Message field of the event log corresponding to event ID “4738” for an account “user1” that was changed. We couldn’t have done this parsing from the hash table, hence we resorted to use of where.
We will wrap the discussion here 🙂
The Adventuruous Life of a Windows Admin 