[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Get-Winevent script that shows detailed event info

Posted on 2013-06-26
6
Medium Priority
?
1,620 Views
Last Modified: 2013-06-28
Hi experts!

I am trying to "harvest" certain eventlog information from the log "Microsoft-Windows-AppLocker/EXE and DLL" of a win 2008 R2 server. I would like to get only events of EventID 8004 and it should tell me what user caused the event.

So far I have
get-winevent -logname "Microsoft-Windows-AppLocker/EXE and DLL" |. Where-Object{$_.id -eq 8004} |fl userid,message,TimeCreated

Open in new window

What I get shows the user SID - I don't know how to use powershell to get the name instead. Furthermore, I would like to get only events of today or even better only the last one of this type - I don't see how.

My goal is to attach an event triggered task to these events that starts this script which fetches the last event and sends a mail which has the output as body.

Can anyone help out?
0
Comment
Question by:McKnife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 39278691
You can convert the SID using following code..
((New-Object System.Security.Principal.SecurityIdentifier(<Sid Here>)).Translate([System.Security.Principal.NTAccount])).Value

Open in new window


To get last 24 hours log you can filter the output by Timecreated
Where-Object {$_.Timecreated -gt (Get-date).AddHours(-24)}

Open in new window


You can sort the output and the select the first result using
Sort TimeCreated -Descending | Select -First 1

Open in new window


So your modified code is..
$UserId = @{N="UserId";e={((New-Object System.Security.Principal.SecurityIdentifier($_.UserId)).Translate([System.Security.Principal.NTAccount])).Value}}

Get-winevent -logname "Microsoft-Windows-AppLocker/EXE and DLL" | 
		Where-Object {$_.id -eq 8004 -and $_.Timecreated -gt (Get-date).AddHours(-24)} | 
			Sort TimeCreated -Descending | Select $userid,message,TimeCreated -First 1

Open in new window


Remove parameter  -First 1 to get the last 24 hours result..

To send mail you can use Send-MailMessage command
Ref : http://technet.microsoft.com/en-us/library/hh849925.aspx
0
 
LVL 56

Author Comment

by:McKnife
ID: 39278921
Thanks. Will be able to test it on friday.
0
 
LVL 56

Author Comment

by:McKnife
ID: 39279057
At home, in my hyper-v lab on server 2012, it works, but it shows no message text. No idea why. But that is not your code's fault as server 2008 R2 used with my line showed a message text.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 40

Expert Comment

by:Subsun
ID: 39279092
0
 
LVL 56

Author Comment

by:McKnife
ID: 39279648
You're right, it's a bug. And on the connect page, people are not even sure what it is... I added a workaround @ms connect:
--
Confirming.

It goes away when you select the format to be en-us. It was de-de at my server 2012 RTM.
For a test I had to reopen Powershell ISE after switching the format to en-us.
--
0
 
LVL 56

Author Closing Comment

by:McKnife
ID: 39283662
Excellent work, thank you. I added a |fl to line 5 to make it more readable.
Hope to be able to do this on my own in the future :)
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question