none
Parsing Windows event in hash table RRS feed

  • Question

  • Hi shining minds...! I have similar questions been asked many times but I just cant get it. I am hoping to seek some help.

    I am trying to extract 3 values from "Directory Service" logs in a table from a list of domain controllers by running in foreach loop

    The values are

    <Computer>Contoso.com</Computer> ,  <Data>4256</Data> and  <Data>0</Data>

    I just cant figure out how to achieve.

    Any help will be greatly appreciated.

    cheers

    Below is xml of the event log

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      <System>

        <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS LDAP" />

        <EventID Qualifiers="32768">2887</EventID>

        <Version>0</Version>

        <Level>3</Level>

        <Task>16</Task>

        <Opcode>0</Opcode>

        <Keywords>0x8080000000000000</Keywords>

        <TimeCreated SystemTime="2020-01-23T03:11:00.582666700Z" />

        <EventRecordID>975925</EventRecordID>

        <Correlation />

        <Execution ProcessID="528" ThreadID="676" />

        <Channel>Directory Service</Channel>

        <Computer>Contoso.com</Computer>

        <Security UserID="S-2-4-5" />

      </System>

     

      <EventData>

        <Data>4256</Data>

        <Data>0</Data>

      </EventData>

    </Event>


    NSW DECC

    Friday, January 24, 2020 6:37 AM

Answers

All replies

  • Please edit you post and fix it according to the following link:


    \_(ツ)_/

    Friday, January 24, 2020 7:03 AM
  • Just for example

    I filter the folowing events 

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" /> 
      <EventID>1030</EventID> 
      <Version>0</Version> 
      <Level>2</Level> 
      <Task>0</Task> 
      <Opcode>1</Opcode> 
      <Keywords>0x8000000000000000</Keywords> 
      <TimeCreated SystemTime="2020-01-24T06:46:49.998952000Z" /> 
      <EventRecordID>430495</EventRecordID> 
      <Correlation ActivityID="{63c35d87-4786-41b8-a4b0-3606240fc2f7}" /> 
      <Execution ProcessID="1724" ThreadID="18148" /> 
      <Channel>System</Channel> 
      <Computer>server.intra.net</Computer> 
      <Security UserID="S-1-5-21-806470407-4060551513-2664077161-218274" /> 
      </System>
    - <EventData>
      <Data Name="SupportInfo1">1</Data> 
      <Data Name="SupportInfo2">3049</Data> 
      <Data Name="ProcessingMode">0</Data> 
      <Data Name="ProcessingTimeInMilliseconds">344</Data> 
      <Data Name="ErrorCode">1326</Data> 
      <Data Name="ErrorDescription">Неверное имя пользователя или пароль.</Data> 
      <Data Name="DCName">\\DC2.intra.net</Data> 
      </EventData>
      </Event>

    by this filter:

    $Filter = @"
            <QueryList>
            <Query Id="0" Path="System">
                <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-GroupPolicy'] and (Level=2)]] and *[EventData[Data[@Name='ErrorCode'] and (Data='1326')]]</Select>
            </Query>
            </QueryList>
    "@
    
    Get-WinEvent -FilterXml $Filter 


    my blog: http://shserg.ru/



    • Edited by s.h.s. _ Friday, January 24, 2020 7:14 AM
    Friday, January 24, 2020 7:10 AM
  • Point was to edit your original post to accomplish this.


    \_(ツ)_/

    Friday, January 24, 2020 7:13 AM
  • Your original post is no where close to the XML of your second post so  people will be confused.  Please be sure your original post is correct.  The two posts and questions are totally different logically and technically.


    \_(ツ)_/

    Friday, January 24, 2020 7:19 AM
  • Hi Jrv,

    Thanks for your response.

    I gone through step by step  the below links you suggested'

    https://docs.microsoft.com/en-us/archive/blogs/ashleymcglone/powershell-get-winevent-xml-madness-getting-details-from-event-logs

    I build up below code, but when I run it, it prompts for Name and then value. I am not sure what to provide.

    Cheers

    ***************************

    $Events=Get-WinEvent-FilterHashtable@{LogName="Directory Service";ID=2887-MaxEvents1-ComputerNamecontoso.com.int

    $events

    .Properties |fl

    # Parse out the event message data           

    ForEach

    ($Eventin$Events) {           

    # Convert the event to XML           

      

    $eventXML=[xml]$Event.ToXml()           

       

    # Iterate through each one of the XML message properties           


       

    For($i=0; $i-lt$eventXML.Event.EventData.Data.Count; $i++) {           

           

    # Append these as object properties           


           

    Add-Member-InputObject$Event-MemberTypeNoteProperty-Force`

               

    -Name  $eventXML.Event.EventData.Data[$i].name `

               

    -Value$eventXML.Event.EventData.Data[$i].'#Text'           

        }           

    }           

               


    # View the results with your favorite output method           

    #$Events | Export-Csv .\events.csv           


    $Events

    |Select-Object*|Out-GridView        


    NSW DECC

    Friday, January 24, 2020 2:26 PM
  • Please never post unformatted and colorized code in this forum.  The code is unreadable in most browsers and is not helpful.

    The colorized code also breaks the page so much is unreadable.

    Your code is also wrong and will not do what is asked.


    \_(ツ)_/


    • Edited by jrv Friday, January 24, 2020 3:36 PM
    Friday, January 24, 2020 3:34 PM
  • Inserted the code properly. Hopefully it is readable bit better.
    $Events = Get-WinEvent -FilterHashtable @{LogName="Directory Service";ID=2887}  -MaxEvents 1 -ComputerName contoso.com.int
    # Parse out the event message data            
    ForEach ($Event in $Events) {            
        # Convert the event to XML            
        $eventXML = [xml]$Event.ToXml()            
        # Iterate through each one of the XML message properties            
        For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {            
            # Append these as object properties            
            Add-Member -InputObject $Event -MemberType NoteProperty -Force ` 
                -Name  $eventXML.Event.EventData.Data[$i].name ` 
                -Value $eventXML.Event.EventData.Data[$i].'#Text'            
        }            
    }            
                
    # View the results with your favorite output method            
    #$Events | Export-Csv .\events.csv            
    $Events | Select-Object * | Out-GridView  


    NSW DECC

    Friday, January 24, 2020 11:10 PM
  • I am asking you to fix your original post at the top and explain what it is that you are asking.  What you posted does not match the XML.

    Please take the time to think about what you are doing and how others will read and see it.


    \_(ツ)_/

    Friday, January 24, 2020 11:54 PM
  • Apology for late reply. My objective was to pull event ID 2887 to find out simple LDAP bind from AD, I found better solution. here

    https://evotec.xyz/four-commands-to-help-you-track-down-insecure-ldap-bindings-before-march-2020/


    NSW DECC

    • Marked as answer by Birla Tuesday, February 4, 2020 9:26 PM
    Tuesday, February 4, 2020 9:26 PM
  • Apology for late reply. My objective was to pull event ID 2887 to find out simple LDAP bind from AD, I found better solution. here

    https://evotec.xyz/four-commands-to-help-you-track-down-insecure-ldap-bindings-before-march-2020/


    NSW DECC

    No one could have ever guessed at that.  Try asking a clear correct question in the future.  Don't ask others to run around in pointless circles.


    \_(ツ)_/

    Tuesday, February 4, 2020 9:35 PM