Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Get-Winevent script that shows detailed event info

Posted on 2013-06-26
6
1,498 Views
Last Modified: 2013-06-28
Hi experts!

I am trying to "harvest" certain eventlog information from the log "Microsoft-Windows-AppLocker/EXE and DLL" of a win 2008 R2 server. I would like to get only events of EventID 8004 and it should tell me what user caused the event.

So far I have
get-winevent -logname "Microsoft-Windows-AppLocker/EXE and DLL" |. Where-Object{$_.id -eq 8004} |fl userid,message,TimeCreated

Open in new window

What I get shows the user SID - I don't know how to use powershell to get the name instead. Furthermore, I would like to get only events of today or even better only the last one of this type - I don't see how.

My goal is to attach an event triggered task to these events that starts this script which fetches the last event and sends a mail which has the output as body.

Can anyone help out?
0
Comment
Question by:McKnife
  • 4
  • 2
6 Comments
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 39278691
You can convert the SID using following code..
((New-Object System.Security.Principal.SecurityIdentifier(<Sid Here>)).Translate([System.Security.Principal.NTAccount])).Value

Open in new window


To get last 24 hours log you can filter the output by Timecreated
Where-Object {$_.Timecreated -gt (Get-date).AddHours(-24)}

Open in new window


You can sort the output and the select the first result using
Sort TimeCreated -Descending | Select -First 1

Open in new window


So your modified code is..
$UserId = @{N="UserId";e={((New-Object System.Security.Principal.SecurityIdentifier($_.UserId)).Translate([System.Security.Principal.NTAccount])).Value}}

Get-winevent -logname "Microsoft-Windows-AppLocker/EXE and DLL" | 
		Where-Object {$_.id -eq 8004 -and $_.Timecreated -gt (Get-date).AddHours(-24)} | 
			Sort TimeCreated -Descending | Select $userid,message,TimeCreated -First 1

Open in new window


Remove parameter  -First 1 to get the last 24 hours result..

To send mail you can use Send-MailMessage command
Ref : http://technet.microsoft.com/en-us/library/hh849925.aspx
0
 
LVL 54

Author Comment

by:McKnife
ID: 39278921
Thanks. Will be able to test it on friday.
0
 
LVL 54

Author Comment

by:McKnife
ID: 39279057
At home, in my hyper-v lab on server 2012, it works, but it shows no message text. No idea why. But that is not your code's fault as server 2008 R2 used with my line showed a message text.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 40

Expert Comment

by:Subsun
ID: 39279092
0
 
LVL 54

Author Comment

by:McKnife
ID: 39279648
You're right, it's a bug. And on the connect page, people are not even sure what it is... I added a workaround @ms connect:
--
Confirming.

It goes away when you select the format to be en-us. It was de-de at my server 2012 RTM.
For a test I had to reopen Powershell ISE after switching the format to en-us.
--
0
 
LVL 54

Author Closing Comment

by:McKnife
ID: 39283662
Excellent work, thank you. I added a |fl to line 5 to make it more readable.
Hope to be able to do this on my own in the future :)
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
In this previous article (https://oddytee.wordpress.com/2016/05/05/provision-new-office-365-user-and-mailbox-from-exchange-hybrid-via-powershell/), we made basic license assignments to users in O365. When I say basic, the method is the simplest way …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question