none
Powershell Get-EventLog and Security Event Log

    General discussion

  • Hello Community,

    I am running the following command from a ps script:

    Get-EventLog -LogName Security -After $startDate -Before $endDate -ComputerName $strServer

    which works perfectly getting the events from any remote server on my domain.  The query basically collects all events produced in a single day.  What concerns me is the number of logon/logoff events that the command is producing on the server.  Has anyone seen similar behaviour when running the command on a remote server?  Does anyone have a suggestion on how to avoid?  I am not able to reproduce when running locally.

    Thanks!


    JC - a.k.a Aramane


    Friday, September 27, 2013 4:09 PM

All replies

  • Not sure if you can supress them, as in order to run it, your account is "logged on" the server, even though are not physically doing so. I would only see it having to do one logon, run the script and then log out, is that not the case?

    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    Don't Retire Technet

    Friday, September 27, 2013 4:32 PM
  • Hi, yes, actually realize that the initial logon is needed to run the script.  The problem is that it is producing about 3,000+ entries on average for the single account running the script during the period the script is running.  Which is what is a concern for me.


    JC - a.k.a Aramane

    The script that I am running just want to make sure not doing something erroneously:


    # Functions to be used in the script
    Function Zip
        {
     Param
     ( [string]$zipFile, [string[]]$toBeZipped )
     $CurDir = Get-Location
     Set-Location "C:\Program Files\WinZip\"
     .\WZZIP $zipFile -toBeZipped
     Set-Location $CurDir
        }

    # Variables to use in the script
    $txtServers = "Servers2.txt"
    $strServer = ""
    $strServerNames = ""
    $strDate = Get-Date
    $strNameDate = Get-Date -Format ddMMyyyy
    $startDate = ""
    $endDate = ""
    $eventID = ""
    $strServer = ""
    $txtFile = ""
    $logCollection = ""
    $strLog = ""
    $WinZip = "C:\Program Files\WinZip\WZZIP.exe"

    # Collect the server names to check logfiles
    $strServerNames = Get-Content -Path "E:\Scripts\SecLog\$txtServers"

    # Create hash table for checking specific event log IDs
    $eventID = @{}
    $eventID.Add("528", "Successful Logon")
    $eventID.Add("529", "Logon Failure: Unknown user name or bad password")
    $eventID.Add("530", "Logon Failure: Account logon time restriction violation")
    $eventID.Add("531", "Logon Failure: Account currently disabled")
    $eventID.Add("532", "Logon Failure: The specified user account has expired")
    $eventID.Add("533", "Logon Failure: User not allowed to logon at this computer")
    $eventID.Add("535", "Logon Failure: The specified account's password has expired")
    $eventID.Add("538", "User Logoff")
    $eventID.Add("539", "Logon Failure: Account locked out")
    $eventID.Add("540", "Successful Network Logon")
    $eventID.Add("576", "Special privileges assigned to new logon")
    $eventID.Add("552", "Logon attempt using explicit credentials")

    # Create date format to delete previous version of the log file
    $delDate = Get-Date -Format dd.MM.yyyy
    $delDate = Get-Date $delDate
    $delDate = $delDate.AddDays(-1)
    $delDate = Get-Date $delDate -Format ddMMyyyy


    # Run thru servers and collect the security logs for previous day
    ForEach ($strServer in $strServerNames)
        {
            # Define the name of the log file, delete file, and zip file
            $txtFile = "E:\Scripts\SecLog\" + $strServer + "SecLog" + $strNameDate + ".csv"
     $txtDelFile = "E:\Scripts\SecLog\" + $strServer + "SecLog" + $delDate + ".csv"
     $strDelZipFile = "E:\Scripts\SecLog\" + $strServer + "SecLog" + $delDate + ".zip"
           
            # Check if the log file exists and rename to old
            If (Test-Path "$txtFile.old") { Remove-Item -Path "$txtFile.old" -Force }
     #check if the log file from previous day exists and delete
     If (Test-Path "$txtDelFile") { Remove-Item -Path "$txtDelFile" -Force }
     # Check if zip file exists and delete
     If (Test-Path "$strDelZipFile") { Remove-Item -Path "$strDelZipFile" -Force }
     # Rename the file from previous day if script run twice in a day to avoid overwrite
            If (Test-Path $txtFile) { Rename-Item -Path $txtFile -NewName "$txtFile.old" -Force }
           
            # Collect the start and end dates to check event log
            $startDate = Get-Date -Format dd.MM.yyyy
            $startDate = Get-Date $startDate
            $startDate = $startDate.AddDays(-1)
           
            $endDate = Get-Date -Format dd.MM.yyyy
            $endDate = Get-Date $endDate
           
            # Add the information collected to the text file
            Add-Content -Path $txtFile -Value "ServerName,EventID,EventDescription,Source,Category,TimeGenerated,UserName"
            $logCollection = Get-EventLog -LogName Security -After $startDate -Before $endDate -ComputerName $strServer
            ForEach ($strLog in $logCollection)
                {
                    $strEventID = $strLog.EventID
                   
                    If ($eventID.ContainsKey("$strEventID"))
                        {
                            $strDescription = $eventID.Get_Item("$strEventID")
       $strMachineName = $strLog.MachineName
                            $strSource = $strLog.Source
                            $strCategory = $strLog.Category
                            $strTimeGen = $strLog.TimeGenerated
                            $strTimeWrite = $strLog.TimeWritten
                            $strUserName = $strLog.UserName
                            Add-Content -Path $txtFile -Value "$strMachineName,$strEventID,$strDescription,$strSource,$strCategory,$strTimeWrite,$strUserName"
                        }
      $strDescription = ""
      $strSource = ""
      $strCategory = ""
      $strTimeGen = ""
      $strTimeWrite = ""
      $strUserName = ""
                }
           
     #Compress the file for sending via email
     $strZipFile = "E:\Scripts\SecLog\" + $strServer + "SecLog" + $strNameDate + ".zip"
     Zip $strZipFile $txtFile
     Start-Sleep -s 120
     
            # Send mail message with attached document
            $smtpServer = "mailhost"
            $smtpFrom = "email address"
            $smtpTo = "email address"
            $messageSubject = $strServer + " Security Event Log"
            $messageBody = "The script has now collected the security event log for $strServer on: $strDate"
           
            Send-MailMessage -To $smtpTo -Subject $messageSubject -From $smtpFrom -Body $messageBody -SmtpServer $smtpServer -Attachment $strZipFile
     $strServer = ""
        }


    • Edited by Aramane Friday, September 27, 2013 4:54 PM
    Friday, September 27, 2013 4:44 PM
  • That does sound like an issue, Have you tried using the Invoke-Command cmdlet, rather than the -ComputerName param, to see if it does the same thing?

    Of course you will need PS Remoting enabled to do so.


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    Don't Retire Technet

    Friday, September 27, 2013 4:51 PM
  • Hi, I have an update on the above... after a closer investigation I have found that the issues are happening only on servers running W2K server.  I think this is related to the version of .net framework or how PS does the qeuery to the server.  I will investigate further but thanks for suggestions.

    JC - a.k.a Aramane

    Monday, September 30, 2013 8:58 AM
  • Hello Aramane,

    Your Script is really nice, for my side I would like to get all the logon/logoff from all my dc for monitoring who is doing what and at what time(Only from admin don't know how to manage). I'm not so good with Script I tried many things, could you help me on with this?

    # Variables to use in the script
    $txtServers = "Serverslist.txt"

    # Collect the server names to check logfiles
    $strServerNames = Get-Content -Path "C:\tmp\$txtServers"

    # Collect the start and end dates to check event log
            $startDate = Get-Date -Format dd.MM.yyyy
            $startDate = Get-Date $startDate
            $startDate = $startDate.AddDays(-1)
           
            $endDate = Get-Date -Format dd.MM.yyyy
            $endDate = Get-Date $endDate

    $eventList = @()
    Get-EventLog -LogName Security -After $startDate -Before $endDate -ComputerName $strServerNames` | Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10 -and $_.ReplacementStrings[5] -notlike "*$"} `
        | foreach-Object {
            $row = "" | Select UserName, LoginTime
            $row.UserName = $_.ReplacementStrings[5]
            $row.LoginTime = $_.TimeGenerated
            $eventList += $row
            }
    $eventList

    Tuesday, January 14, 2014 12:46 PM
  • Hi, can you please try running the following query to see if it helps with the issues and you are able to get needed resutls.  I am not quite sure what information you are trying to extract so the below is just a guess:

    Get-EventLog -LogName Security -After $startDate -Before $endDate | Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10 -and $_.ReplacementStrings[5] -notlike "*$"} | foreach-object { $row = "" | Select UserName, LoginTime; $row.UserName = $_.ReplacementStrings[5]; $row.LoginTime = $_TimeGenerated; $eventList += $row}


    JC - a.k.a Aramane

    Tuesday, January 14, 2014 6:00 PM