none
Show the 5 newest Security logs for each Instance ID 4624, 4648 & 5031 RRS feed

  • Question

  • I am very new to PowerShell and have really enjoyed the different blogs I have seen on this site. They have been very helpful. However I have been tasked with creating a PowerShell script that will output to HTML the security events An account was successfully logged on, A logon was attempted using explicit credentials and Windows Firewall Service blocked an application from accepting incoming connections on the network. The Event ID's are 4624, 4648, and 5031. I need to be able to list the 5 newest of each one and output it into one HTML form. 

    I have been able to get the results using Get-EventLog -Newest 5 -LogName Security -InstanceID 4624, 4648, 5031 However it only show the newest five. I am not sure how to go about getting the output for each of the three ID's.

    i know to output it to HTML I will need to do the ConvertTo-HTML then do the out-file. I am just stuck on how to get the 5 newest logs for each ID. Any help or direction will be appreciated. 

    Sunday, December 6, 2015 7:24 PM

Answers

  • $SecLog=Get-WinEvent -FilterHashTable @{Logname='Security';ID=4624} -Max 5
    $SecLog+= Get-WinEvent -FilterHashTable @{Logname='Security';ID=4648} -Max 5
    $SecLog+=Get-WinEvent -FilterHashTable @{Logname='Security';ID=5031} -Max 5

    $seclog | ConvertTo-Html


    \_(ツ)_/


    • Edited by jrv Monday, December 7, 2015 2:01 AM
    • Marked as answer by CBFifty Monday, December 7, 2015 2:27 AM
    Monday, December 7, 2015 2:01 AM

All replies

  • Get-WinEvent -FilterHashTable @{Logname='Security';ID=4624} -Max 5
    Get-WinEvent -FilterHashTable @{Logname='Security';ID=4648} -Max 5
    Get-WinEvent -FilterHashTable @{Logname='Security';ID=5031} -Max 5


    \_(ツ)_/

    Sunday, December 6, 2015 7:45 PM
  • jrv,

    Thank you for that info. I was thinking that I needed to use the Get-WinEvent but was confused on how to get the correct info. That is indeed giving me the initial output I am looking for. However I am now running into an issue with the out put to HTML. When I do Select-Object TimeCreated, Id, Message | ConverTo-HTML | out-File C:\SecLog.htm it shows my headings but nothing shows up under them. Here is what I have so far

    $SecLog1 = Get-WinEvent -FilterHashTable @{Logname='Security';ID=4624} -Max 5
    $SecLog2 = Get-WinEvent -FilterHashTable @{Logname='Security';ID=4648} -Max 5
    $SecLog3 = Get-WinEvent -FilterHashTable @{Logname='Security';ID=5031} -Max 5
    $a = "<style>"
    $a = $a + "BODY{background-color:blue;}"
    $a = $a + "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}"
    $a = $a + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:orange}"
    $a = $a + "TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:White}"
    $a = $a + "</style>"

    $SecLog1, $SecLog2, $SecLog3 | Select-Object TimeCreated, Id, Message | ConvertTo-HTML -head $a | Out-File C:\SecLog.htm
    Invoke-Expression C:\SecLog.htm

    If I just run $SecLog1, $SecLog2, $SecLog3 it will show me the info I am looking for but as soon as I add the HTML part the info does not show up in the HTML document. Do you have any advice on what I need to change or how I can get the info to show up in my out-file?

    Sunday, December 6, 2015 8:28 PM
  • $SecLog=Get-WinEvent -FilterHashTable @{Logname='Security';ID=4624} -Max 5
    $SecLog+= Get-WinEvent -FilterHashTable @{Logname='Security';ID=4648} -Max 5
    $SecLog+=Get-WinEvent -FilterHashTable @{Logname='Security';ID=5031} -Max 5

    $seclog | ConvertTo-Html


    \_(ツ)_/


    • Edited by jrv Monday, December 7, 2015 2:01 AM
    • Marked as answer by CBFifty Monday, December 7, 2015 2:27 AM
    Monday, December 7, 2015 2:01 AM