?
Solved

Get-Winevent script that shows detailed event info

Posted on 2013-06-26
6
Medium Priority
?
1,585 Views
Last Modified: 2013-06-28
Hi experts!

I am trying to "harvest" certain eventlog information from the log "Microsoft-Windows-AppLocker/EXE and DLL" of a win 2008 R2 server. I would like to get only events of EventID 8004 and it should tell me what user caused the event.

So far I have
get-winevent -logname "Microsoft-Windows-AppLocker/EXE and DLL" |. Where-Object{$_.id -eq 8004} |fl userid,message,TimeCreated

Open in new window

What I get shows the user SID - I don't know how to use powershell to get the name instead. Furthermore, I would like to get only events of today or even better only the last one of this type - I don't see how.

My goal is to attach an event triggered task to these events that starts this script which fetches the last event and sends a mail which has the output as body.

Can anyone help out?
0
Comment
Question by:McKnife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 39278691
You can convert the SID using following code..
((New-Object System.Security.Principal.SecurityIdentifier(<Sid Here>)).Translate([System.Security.Principal.NTAccount])).Value

Open in new window


To get last 24 hours log you can filter the output by Timecreated
Where-Object {$_.Timecreated -gt (Get-date).AddHours(-24)}

Open in new window


You can sort the output and the select the first result using
Sort TimeCreated -Descending | Select -First 1

Open in new window


So your modified code is..
$UserId = @{N="UserId";e={((New-Object System.Security.Principal.SecurityIdentifier($_.UserId)).Translate([System.Security.Principal.NTAccount])).Value}}

Get-winevent -logname "Microsoft-Windows-AppLocker/EXE and DLL" | 
		Where-Object {$_.id -eq 8004 -and $_.Timecreated -gt (Get-date).AddHours(-24)} | 
			Sort TimeCreated -Descending | Select $userid,message,TimeCreated -First 1

Open in new window


Remove parameter  -First 1 to get the last 24 hours result..

To send mail you can use Send-MailMessage command
Ref : http://technet.microsoft.com/en-us/library/hh849925.aspx
0
 
LVL 56

Author Comment

by:McKnife
ID: 39278921
Thanks. Will be able to test it on friday.
0
 
LVL 56

Author Comment

by:McKnife
ID: 39279057
At home, in my hyper-v lab on server 2012, it works, but it shows no message text. No idea why. But that is not your code's fault as server 2008 R2 used with my line showed a message text.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 40

Expert Comment

by:Subsun
ID: 39279092
0
 
LVL 56

Author Comment

by:McKnife
ID: 39279648
You're right, it's a bug. And on the connect page, people are not even sure what it is... I added a workaround @ms connect:
--
Confirming.

It goes away when you select the format to be en-us. It was de-de at my server 2012 RTM.
For a test I had to reopen Powershell ISE after switching the format to en-us.
--
0
 
LVL 56

Author Closing Comment

by:McKnife
ID: 39283662
Excellent work, thank you. I added a |fl to line 5 to make it more readable.
Hope to be able to do this on my own in the future :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick Powershell script I wrote to find old program installations and check versions of a specific file across the network.
Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question