PowerShell script for Event IDs

Server 2003, PowerShell v1

I'm looking for a script that will show the number of a specific event IDs for a specific user in the Security logs over a specific time frame.

User1 and event ID 538 July 1, 2014 - July 9, 2014

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

$events = Get-EventLog  -LogName "Security" -After 7/1/2014 -Before 7/9/2014 -source "<source>" | ? {$_.eventid -eq "538" -and $_.message -like "*user*"}
write-host $events.count

Open in new window

Of course a sample of the event would be good to know where the user info is captured, I only put in $_.message this migh be captured elsewhere
xmouserAuthor Commented:
What would the source be?
xmouserAuthor Commented:
Got it, the source is the user. Getting error message cannot be found parameter name 'after'.
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Can you do me a quick favor, I am not in a place to duplicate a 538, can you run this and paste the output.

I will then be able to give you a script to do exactly what you need:

Get-EventLog  -LogName Security  ? {$_.eventid -eq "538"} | get-member

Open in new window

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
You really should update to PS 2, the latest PS release for W2003. PS 1 has many restrictions and bugs, and one of them is that Get-EventLog doesn't allow for date boundaries to be provided as parameter.

EventID 538 is User Logoff (both interactive or over network), but has changed with Vista (?) to a different ID. The username is embedded in the text message, Not changing anything in your environment, this should work:
$User = 'User1'
$start = [datetime] '7/1/2014'
$end = [datetime] '7/9/2014'

  get-eventlog security |
    ? { $_.EventId -eq 538 -and  $_.TimeGenerated -ge $start -and $_.TimeGenerated -ls $end } |
    ? { $_.Message -like "*`tAdministrator*" }

Open in new window


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xmouserAuthor Commented:

A parameter cannot be found that matches parameter name '?'


If I could I would - I'm stuck for the moment with what I have.
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
My code above should work on PS 1.
becraig's line needs a pipe in front of the question mark:
Get-EventLog  -LogName Security | ? {$_.eventid -eq "538"} | get-member

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.