Event log monitoring with PowerShell

I'm trying to use PowerShell to monitor event log ID 528 in the security log.  My script works ok but I am trying to add a few parameters and am a bit of a newbie to scripting in general.

First off, I'd like to add a date/time stamp to my Outfile so that it isn't over written each time the script is run.  

Secondly, I need to add the "Souce Network Addrees" Parameter from Event ID 528 to the output.  I tried adding "Source Network Address" to my script but come back with a null output. Event 528 looks like this:

Successful Logon:
       User Name:      User
       Domain:            My Domain
       Logon ID:            (0x0,0x90BEF452)
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      COMPUTER NAME
       Logon GUID:      {ea0d7ccb-e029-9d9d-96f0-07be3d66f5dd}
       Caller User Name:      COMP$
       Caller Domain:      My Domain
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 7456
       Transited Services: -
       Source Network Address:      192.168.1.5
       Source Port:      3390



Lastly, I need to know what parameters to add to run the script for the current day rather than for the newest 10000 events,

This is the script I currently have written.

$events =  Get-EventLog -ComputerName "COMPUTER" -LogName "Security" -newest 10000 | Where {$_.eventid -eq 528 -AND $_.Source -eq "Security" }  

foreach ( $event in $events       ) {
      if (($event.message | Select-String "Logon Type:      2")){
            "LogonType 2 (Interactive Login );"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress      | out-file logins.txt
      }
      if (($event.message | Select-String "Logon Type:      3")){
            "LogonType 3 (Network Login )    ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress      | out-file logins.txt  
      }
      if (($event.message | Select-String "Logon Type:      4")){
            "LogonType 4 (Batch Login )      ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress      | out-file logins.txt  
      }
      if (($event.message | Select-String "Logon Type:      5")){
            "LogonType 5 (Service Login )    ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress      | out-file logins.txt  
      }
      if (($event.message | Select-String "Logon Type:      7")){
            "LogonType 7 (Computer Unlocked );"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress      | out-file logins.txt  
      }
      if (($event.message | Select-String "Logon Type:      8")){
            "LogonType 8 (Network Cleartext Login );"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress | out-file logins.txt  
      }
      if (($event.message | Select-String "Logon Type:      9")){
            "LogonType 9 (NewCredentials )   ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress | out-file logins.txt  
      }
      if (($event.message | Select-String "Logon Type:      10")){
            "LogonType 10 (RDP Login )       ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress      | out-file logins.txt  
      }
      if (($event.message | Select-String "Logon Type:      11")){
            "LogonType 11 (Cached Credentials Login );"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress | out-file logins.txt  
      }
}
cja777Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joe KlimisCommented:
The following give you the log file , you require  ( i have added the append ), and also just todays events
to find the exact naname for the  " source network address" do the following
$event = Get-EventLog -ComputerName "COMPUTER" -LogName "Security" -newest 1 | Where {$_.eventid -eq 528 -AND $_.Source -eq "Security" }
$event | get-member
This will provide the object attributes, locate the name of the required object element.
If you get stuck post the output of the above and i will help


$events       =  Get-EventLog   -ComputerName "COMPUTER -LogName "Security" | Where {$_.eventid -eq 528 -AND $_.Source -eq "Security"-and $_.timeGenerated -ge ((get-date).adddays(0).date) }  
$LogDate      = get-date -uformat "%y-%m-%d"  # GET DATE AND FORMAT IT 
$LogFileName  = logins_$LogDate.txt           # CREATE NAME FOR LOG FILE
outfile $LogFileName			      #CREATE AN EMPTY FILE
foreach ( $event in $events       ) 
{

      if (($event.message | Select-String "Logon Type:      2")){
            "LogonType 2 (Interactive Login );"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress      | Out-File -append $LogFileName 
      }
      if (($event.message | Select-String "Logon Type:      3")){
            "LogonType 3 (Network Login )    ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress      | Out-File -append $LogFileName  
      }
      if (($event.message | Select-String "Logon Type:      4")){
            "LogonType 4 (Batch Login )      ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress      | Out-File -append $LogFileName  
      }
      if (($event.message | Select-String "Logon Type:      5")){
            "LogonType 5 (Service Login )    ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress      | Out-File -append $LogFileName  
      }
      if (($event.message | Select-String "Logon Type:      7")){
            "LogonType 7 (Computer Unlocked );"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress      | Out-File -append $LogFileName  
      }
      if (($event.message | Select-String "Logon Type:      8")){
            "LogonType 8 (Network Cleartext Login );"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress | Out-File -append $LogFileName  
      }
      if (($event.message | Select-String "Logon Type:      9")){
            "LogonType 9 (NewCredentials )   ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress | Out-File -append $LogFileName  
      }
      if (($event.message | Select-String "Logon Type:      10")){
            "LogonType 10 (RDP Login )       ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress      | Out-File -append $LogFileName  
      }
      if (($event.message | Select-String "Logon Type:      11")){
            "LogonType 11 (Cached Credentials Login );"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";"+$event.SourceNetworkAddress | Out-File -append $LogFileName  
      }
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cja777Author Commented:
I'm running PowerShell 2.0 on Windows XP if that makes any difference as to the output.

Thank you very much for the help with the script.  When I run:

$event = Get-EventLog -ComputerName "COMPUTER" -LogName "Security" -newest 1000 | Where {$_.eventid -eq 528 -AND $_.Source -eq "Security" }
$event | get-member

I get back

Get-Member : No object has been specified to the get-member cmdlet.
At C:\temp\login3.ps1:2 char:20
+ $event | get-member <<<<
    + CategoryInfo          : CloseError: (:) [Get-Member], InvalidOperationEx
   ception
    + FullyQualifiedErrorId : NoObjectInGetMember,Microsoft.PowerShell.Command
   s.GetMemberCommand


Also when I run the full script as copied with the correct computer name I get the output of:

The term 'logins_$LogDate.txt' is not recognized as the name of a cmdlet, funct
ion, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At C:\temp\logins2.ps1:3 char:36
+ $LogFileName  = logins_$LogDate.txt <<<<            # CREATE NAME FOR LOG FIL
E
    + CategoryInfo          : ObjectNotFound: (logins_$LogDate.txt:String) [],
    CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Out-File : Cannot bind argument to parameter 'FilePath' because it is null.
At C:\temp\logins2.ps1:4 char:9
+ out-file <<<<  $LogFileName                          #CREATE AN EMPTY FILE
    + CategoryInfo          : InvalidData: (:) [Out-File], ParameterBindingVal
   idationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M
   icrosoft.PowerShell.Commands.OutFileCommand


0
cja777Author Commented:
Just wanted to provide a quick update.  I was able to get the log to give me the information I wanted, I just had it include the whole message instead of just the source address.

I changed the script to try to have it generated based on the day.  I'd also like to have it generate with a timestamp in the file name since it will need to run 2-3 times per day against certain machines.  Here is the updated script and output:

$events       =  Get-EventLog   -ComputerName "Computer" -LogName "Security" | Where {$_.eventid -eq 528 -AND $_.Source -eq "Security"-and $_.timeGenerated -ge ((get-date).adddays(0).date) }  
$LogDate      = get-date -uformat "%y-%m-%d"  # GET DATE AND FORMAT IT  
$LogFileName  = logins_$LogDate.txt           # CREATE NAME FOR LOG FILE
outfile $LogFileName                #CREATE AN EMPTY FILE
foreach ( $event in $events       ) {

      if (($event.message | Select-String "Logon Type:      2")){
            "LogonType 2 (Interactive Login );"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";" +$event.message       | Out-File $LogFileName
      }
      if (($event.message | Select-String "Logon Type:      3")){
            "LogonType 3 (Network Login )    ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";" +$event.message | Out-File $LogFileName
      }
      if (($event.message | Select-String "Logon Type:      4")){
            "LogonType 4 (Batch Login )      ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";" +$event.message | Out-File $LogFileName
      }
      if (($event.message | Select-String "Logon Type:      5")){
            "LogonType 5 (Service Login )    ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";" +$event.message | Out-File $LogFileName
      }
      if (($event.message | Select-String "Logon Type:      7")){
            "LogonType 7 (Computer Unlocked );"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";" +$event.message | Out-File $LogFileName
      }
      if (($event.message | Select-String "Logon Type:      8")){
            "LogonType 8 (Network Cleartext Login );"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";" +$event.message | Out-File $LogFileName
      }
      if (($event.message | Select-String "Logon Type:      9")){
            "LogonType 9 (NewCredentials )   ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";" +$event.message | Out-File $LogFileName
      }
      if (($event.message | Select-String "Logon Type:      10")){
            "LogonType 10 (RDP Login )       ;"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";" +$event.message | Out-File $LogFileName
      }
      if (($event.message | Select-String "Logon Type:      11")){
            "LogonType 11 (Cached Credentials Login );"+ $event.TimeGenerated.DateTime + ";" +$event.UserName + ";" +$event.message | Out-File $LogFileName
      }
}

The ouput I get now is

Out-File : Cannot bind argument to parameter 'FilePath' because it is null.
At C:\temp\logins.1.ps1:22 char:125
+         "LogonType 5 (Service Login )    ;"+ $event.TimeGenerated.DateTime +
";" +$event.UserName + ";" +$event.message | Out-File <<<<  $LogFileName
    + CategoryInfo          : InvalidData: (:) [Out-File], ParameterBindingVal
   idationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M
   icrosoft.PowerShell.Commands.OutFileCommand

Out-File : Cannot bind argument to parameter 'FilePath' because it is null.
At C:\temp\logins.1.ps1:19 char:125
+         "LogonType 4 (Batch Login )      ;"+ $event.TimeGenerated.DateTime +
";" +$event.UserName + ";" +$event.message | Out-File <<<<  $LogFileName
    + CategoryInfo          : InvalidData: (:) [Out-File], ParameterBindingVal
   idationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M
   icrosoft.PowerShell.Commands.OutFileCommand
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

cja777Author Commented:
I got the script to do what I wanted as far as creating a log file, is it possible to e-mail this file after it's created?
0
Joe KlimisCommented:
try the following powershell function , will will require a smtp server to relay the message

##############################################################
Function SendEmail
{
		Param (
						[string]$EmailToAddress   = "xxx@xxx.com",
						[string]$Emailsubject = "Test",
						[string]$EmailBody = "This is the body" ,
						[string]$attachment = "",
						[string]$EmailCcAddress   = (""),
						[string]$EmailFromAddress = "from@mydomain.net",
						[string]$EmailSmtpServer  = "192.192.192.192"
		)
		if ( ($EmailtoAddress -eq "/?") -or ($EmailtoAddress -eq "-?")  -or ($EmailtoAddress -eq "-help")  -or ($EmailtoAddress -eq "-h") )
		{
		#cls
		write-host "Help for SendEmail Function"
		""
		""
		Write-host -f GReen "---------------------------"
		""
		""
		write-host -nonewline ' Usage :  '
		write-host -nonewline -f yellow  'SendEmail ' 
		write-host -nonewline '  "EmailToAddress" "Subject" "Body Text" "Attachment Filename" " CC addresses" "From Address" '
		''
		""
		""
		'EG     >>  sendemail "user@domain.com" "Test" "Check out my body text " "c:\report.xml" "" "sysadmin@mydomain.com" '
		""

		break
		}
		#######################################
		# Create from/to addresses  
		#######################################
		$from       = New-Object System.Net.Mail.MailAddress $EmailFromAddress 
		$to         = New-Object System.Net.Mail.MailAddress $EmailToAddress
		  
		#######################################
		# Create Message  
		#######################################
		$message = new-object  System.Net.Mail.MailMessage $from, $to  
		$message.Subject = $Emailsubject
		$message.Body = $EmailBody
		if ($attachment -ne "") {$message.Attachments.Add($attachment) }

		#######################################
		#add the CC Addresses
		#######################################
		if ($EmailCcAddress -ne "") { foreach ($CCAddress in $EmailCcAddress)     {$message.Cc.Add($CCAddress)} }

		#######################################
		# create SMTP Client  
		#######################################
		$client = new-object system.net.mail.smtpclient $EmailSmtpServer 
		$client.Send($message)  

#######################
}   # end Function
#######################

#######################################
# Example usage
#######################################
# sendemail "testuser@domain.com" "test" "" "" "" "sysadmin@mydomain.com"

Open in new window

0
cja777Author Commented:
When specifying the file name to e-mail can I add a variable to it so that it e-mails the log file generated for that day.  For instance if I put

"C:\temp\Event528_$((get-date).toString('MM-dd-yyyy"

as my attachment file name it would pull the one for today's date.  Sorry am new to scripting if this is a super obvious question.
0
jjozCommented:
i got error here ?


Get-EventLog : Requested registry access is not allowed.
At line:1 char:22
+ $event = Get-EventLog <<<<  -LogName "Security" -newest 1 | Where {$_.eventid -eq 528 -AND $_.Source -eq "Security" }
    + CategoryInfo          : NotSpecified: (:) [Get-EventLog], SecurityException
    + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.GetEventLogCommand
 
Get-Member : No object has been specified to the get-member cmdlet.
At line:2 char:20
+ $event | get-member <<<< 
    + CategoryInfo          : CloseError: (:) [Get-Member], InvalidOperationException
    + FullyQualifiedErrorId : NoObjectInGetMember,Microsoft.PowerShell.Commands.GetMemberCommand

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.