locked
Event based 'Event Log monitoring' PowerShell script RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I'm struggling to create an event based PowerShell script to continiously monitor certain events that are happening on a computer. 

    First of all, I tried to base my script on a snippet I found online (see the code under this text).

    I noticed the use of '[System.Diagnostics.EventLog]' which is OK if you use 'old' logs like 'System', 'Application'..,
    but this doesn't work for 'new' log files like 'Microsoft-Windows-Wired-AutoConfig/Operational' where I'm looking for ID's 15500 and 15501
    (Using 'Get-EventLog' doesn't show this log, but 'Get-WinEvent' does)

    So I've been trying different things but I can't figure out how to get this working for the 'new' logfiles.

    Anyone has any idea?

    # set the event log name you want to subscribe to
    # (use Get-EventLog -AsString for a list of available event log names)
    $Name = 'Application'

    # get an instance
    $Log = [System.Diagnostics.EventLog]$Name

    # determine what to do when an event occurs
    $Action = {
        # get the original event entry that triggered the event
        $entry = $event.SourceEventArgs.Entry

        # do something based on the event
        if ($entry.EventId -eq 1 -and $entry.Source -eq 'WinLogon') 
        {
            Write-Host "Test event was received!"
        }

    }

    # subscribe to its "EntryWritten" event
    $job = Register-ObjectEvent -InputObject $log -EventName EntryWritten -SourceIdentifier 'NewEventHandler' -Action $Action


    # use a loop to keep PowerShell busy. You can abort via CTRL+C

    Write-Host "Listening to events" -NoNewline

    try
    {
        do
        {
            Wait-Event -SourceIdentifier NewEventHandler -Timeout 1
            Write-Host "." -NoNewline

        } while ($true)
    }
    finally
    {
        # this executes when CTRL+C is pressed
        Unregister-Event -SourceIdentifier NewEventHandler
        Remove-Job -Name NewEventHandler
        Write-Host ""
        Write-Host "Event handler stopped."
    }

    Tuesday, July 9, 2019 8:35 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    $log = [System.Diagnostics.EventLog]::New('Microsoft-Windows-Wired-AutoConfig/Operational')

    \_(ツ)_/

    Tuesday, July 9, 2019 9:05 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Great find jrv! After adding this in the code and GMing the object, it does appear to have a membertype 'event' with name 'entrywritten'

    But still stuck on the error that the event log doesn't exist. (again: works fine for 'old' logs, like System log)

    Register-ObjectEvent : The event log 'Microsoft-Windows-Wired-AutoConfig/Operational' on computer '.' does not exist.
    At line:96 char:8
    + $job = Register-ObjectEvent -InputObject $WIREDautoconfig -EventName  ...
    +        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (System.Diagnostics.EventLog:EventLog) [Register-ObjectEvent], InvalidOperationException
        + FullyQualifiedErrorId : INVALID_REGISTRATION,Microsoft.PowerShell.Commands.RegisterObjectEventCommand

    Tuesday, July 9, 2019 11:28 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    That log will not exist on all systems.  If it doesn't exist then you can't use it.

    \_(ツ)_/

    Tuesday, July 9, 2019 11:31 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Check that the log exists:
    Get-WinEvent -ListLog Microsoft-Windows-Wired-AutoConfig/Operational

    \_(ツ)_/

    Tuesday, July 9, 2019 11:36 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    PS C:\WINDOWS\system32> Get-WinEvent -ListLog Microsoft-Windows-Wired-AutoConfig/Operational

    LogMode   MaximumSizeInBytes RecordCount LogName                                                                                                                                                            
    -------   ------------------ ----------- -------                                                                                                                                                            
    Circular             1052672        1166 Microsoft-Windows-Wired-AutoConfig/Operational                                                                                                                     
    Tuesday, July 9, 2019 11:41 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    It appears that these logs cannot be evented.  It may be that the logs need to have the subscription service configured and enabled.

    \_(ツ)_/

    Tuesday, July 9, 2019 12:03 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I believe there must be a way to query these logs, since you can create a 'task' in the Task Scheduler that executes an action if it finds a certain ID. 

    But what that 'way' is.. that's something else..

    Monday, July 15, 2019 11:28 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Try using System.Diagnostics.Eventing.Reader.EventLogWatcher

    https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogwatcher?view=netframework-4.8

    Monday, July 15, 2019 1:22 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Here s a working example of the "Watcher". '

    $code = @'
Imports System
Imports System.Diagnostics.Eventing.Reader

Public Class SubscribeToEventsExample

    Public Sub New()

        Dim watcher As EventLogWatcher
        watcher = Nothing

        Try

            ' Subscribe to receive event notifications
            ' in the Application log. The query specifies
            ' that only level 2 events will be returned.
            Dim subscriptionQuery As New EventLogQuery("Application", PathType.LogName, "*[System/Level>0]")

            watcher = New EventLogWatcher(subscriptionQuery)

            ' Set watcher to listen for the EventRecordWritten
            ' event.  When this event happens, the callback method
            ' (EventLogEventRead) will be called.
            AddHandler watcher.EventRecordWritten, AddressOf Me.HandleEvent

            ' Begin subscribing to events the events
            watcher.Enabled = True
            Console.WriteLine("Waiting for events...")

            Dim i As Integer
            For i = 0 To 10000
                ' Wait for events to occur. 
                System.Threading.Thread.Sleep(1000)
            Next

        Catch e As EventLogReadingException

            Console.WriteLine("Error reading the log: {0}", e.Message)

        Finally

            ' Stop listening to events
            watcher.Enabled = False

            If Not watcher Is Nothing Then
                watcher.Dispose()
            End If

        End Try
    End Sub

    ' <summary>
    ' Callback method that gets executed when an event is
    ' reported to the subscription.
    ' </summary>
    Public Sub HandleEvent(ByVal obj As Object, ByVal arg As EventRecordWrittenEventArgs)
        Console.WriteLine("Received event from the subscription.")

        ' Make sure there was no error reading the event.
        If Not arg.EventRecord Is Nothing Then

            Console.WriteLine("Received event {0} from the subscription.", _
               arg.EventRecord.Id)
            Console.WriteLine("Description: {0}", arg.EventRecord.FormatDescription())
        Else

            Console.WriteLine("The event instance was null.")
        End If
    End Sub

    Public Overloads Shared Function Main( _
    ByVal args() As String) As Integer

        ' Start the event watcher
        Dim eventWatcher As New SubscribeToEventsExample

        Return 0

    End Function
End Class
'@
add-type $code -Language VisualBasic
[SubscribeToEventsExample]::new()

    \_(ツ)_/


    • Edited by jrv Monday, July 15, 2019 2:04 PM
    Monday, July 15, 2019 2:03 PM