• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1649
  • Last Modified:

Get-Winevent script that shows detailed event info

Hi experts!

I am trying to "harvest" certain eventlog information from the log "Microsoft-Windows-AppLocker/EXE and DLL" of a win 2008 R2 server. I would like to get only events of EventID 8004 and it should tell me what user caused the event.

So far I have
get-winevent -logname "Microsoft-Windows-AppLocker/EXE and DLL" |. Where-Object{$_.id -eq 8004} |fl userid,message,TimeCreated

Open in new window

What I get shows the user SID - I don't know how to use powershell to get the name instead. Furthermore, I would like to get only events of today or even better only the last one of this type - I don't see how.

My goal is to attach an event triggered task to these events that starts this script which fetches the last event and sends a mail which has the output as body.

Can anyone help out?
0
McKnife
Asked:
McKnife
  • 4
  • 2
1 Solution
 
SubsunCommented:
You can convert the SID using following code..
((New-Object System.Security.Principal.SecurityIdentifier(<Sid Here>)).Translate([System.Security.Principal.NTAccount])).Value

Open in new window


To get last 24 hours log you can filter the output by Timecreated
Where-Object {$_.Timecreated -gt (Get-date).AddHours(-24)}

Open in new window


You can sort the output and the select the first result using
Sort TimeCreated -Descending | Select -First 1

Open in new window


So your modified code is..
$UserId = @{N="UserId";e={((New-Object System.Security.Principal.SecurityIdentifier($_.UserId)).Translate([System.Security.Principal.NTAccount])).Value}}

Get-winevent -logname "Microsoft-Windows-AppLocker/EXE and DLL" | 
		Where-Object {$_.id -eq 8004 -and $_.Timecreated -gt (Get-date).AddHours(-24)} | 
			Sort TimeCreated -Descending | Select $userid,message,TimeCreated -First 1

Open in new window


Remove parameter  -First 1 to get the last 24 hours result..

To send mail you can use Send-MailMessage command
Ref : http://technet.microsoft.com/en-us/library/hh849925.aspx
0
 
McKnifeAuthor Commented:
Thanks. Will be able to test it on friday.
0
 
McKnifeAuthor Commented:
At home, in my hyper-v lab on server 2012, it works, but it shows no message text. No idea why. But that is not your code's fault as server 2008 R2 used with my line showed a message text.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
McKnifeAuthor Commented:
You're right, it's a bug. And on the connect page, people are not even sure what it is... I added a workaround @ms connect:
--
Confirming.

It goes away when you select the format to be en-us. It was de-de at my server 2012 RTM.
For a test I had to reopen Powershell ISE after switching the format to en-us.
--
0
 
McKnifeAuthor Commented:
Excellent work, thank you. I added a |fl to line 5 to make it more readable.
Hope to be able to do this on my own in the future :)
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now