Solved

PowerShell script for Event IDs

Posted on 2014-07-18
9
279 Views
Last Modified: 2014-07-30
Server 2003, PowerShell v1

I'm looking for a script that will show the number of a specific event IDs for a specific user in the Security logs over a specific time frame.

User1 and event ID 538 July 1, 2014 - July 9, 2014

Possible?
0
Comment
Question by:xmouser
  • 3
  • 2
  • 2
9 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40205320
$events = Get-EventLog  -LogName "Security" -After 7/1/2014 -Before 7/9/2014 -source "<source>" | ? {$_.eventid -eq "538" -and $_.message -like "*user*"}
write-host $events.count

Open in new window



Of course a sample of the event would be good to know where the user info is captured, I only put in $_.message this migh be captured elsewhere
0
 

Author Comment

by:xmouser
ID: 40205361
What would the source be?
0
 

Author Comment

by:xmouser
ID: 40205365
Got it, the source is the user. Getting error message cannot be found parameter name 'after'.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 29

Expert Comment

by:becraig
ID: 40205398
Can you do me a quick favor, I am not in a place to duplicate a 538, can you run this and paste the output.

I will then be able to give you a script to do exactly what you need:

Get-EventLog  -LogName Security  ? {$_.eventid -eq "538"} | get-member

Open in new window

0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40208704
You really should update to PS 2, the latest PS release for W2003. PS 1 has many restrictions and bugs, and one of them is that Get-EventLog doesn't allow for date boundaries to be provided as parameter.

EventID 538 is User Logoff (both interactive or over network), but has changed with Vista (?) to a different ID. The username is embedded in the text message, Not changing anything in your environment, this should work:
$User = 'User1'
$start = [datetime] '7/1/2014'
$end = [datetime] '7/9/2014'

@(
  get-eventlog security |
    ? { $_.EventId -eq 538 -and  $_.TimeGenerated -ge $start -and $_.TimeGenerated -ls $end } |
    ? { $_.Message -like "*`tAdministrator*" }
).count

Open in new window

0
 

Author Comment

by:xmouser
ID: 40208759
becraig

A parameter cannot be found that matches parameter name '?'

Qlemo

If I could I would - I'm stuck for the moment with what I have.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40208781
My code above should work on PS 1.
becraig's line needs a pipe in front of the question mark:
Get-EventLog  -LogName Security | ? {$_.eventid -eq "538"} | get-member

Open in new window

0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question