PowerShell script for Event IDs

Posted on 2014-07-18
Last Modified: 2014-07-30
Server 2003, PowerShell v1

I'm looking for a script that will show the number of a specific event IDs for a specific user in the Security logs over a specific time frame.

User1 and event ID 538 July 1, 2014 - July 9, 2014

Question by:xmouser
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 29

Expert Comment

ID: 40205320
$events = Get-EventLog  -LogName "Security" -After 7/1/2014 -Before 7/9/2014 -source "<source>" | ? {$_.eventid -eq "538" -and $_.message -like "*user*"}
write-host $events.count

Open in new window

Of course a sample of the event would be good to know where the user info is captured, I only put in $_.message this migh be captured elsewhere

Author Comment

ID: 40205361
What would the source be?

Author Comment

ID: 40205365
Got it, the source is the user. Getting error message cannot be found parameter name 'after'.
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

LVL 29

Expert Comment

ID: 40205398
Can you do me a quick favor, I am not in a place to duplicate a 538, can you run this and paste the output.

I will then be able to give you a script to do exactly what you need:

Get-EventLog  -LogName Security  ? {$_.eventid -eq "538"} | get-member

Open in new window

LVL 70

Accepted Solution

Qlemo earned 500 total points
ID: 40208704
You really should update to PS 2, the latest PS release for W2003. PS 1 has many restrictions and bugs, and one of them is that Get-EventLog doesn't allow for date boundaries to be provided as parameter.

EventID 538 is User Logoff (both interactive or over network), but has changed with Vista (?) to a different ID. The username is embedded in the text message, Not changing anything in your environment, this should work:
$User = 'User1'
$start = [datetime] '7/1/2014'
$end = [datetime] '7/9/2014'

  get-eventlog security |
    ? { $_.EventId -eq 538 -and  $_.TimeGenerated -ge $start -and $_.TimeGenerated -ls $end } |
    ? { $_.Message -like "*`tAdministrator*" }

Open in new window


Author Comment

ID: 40208759

A parameter cannot be found that matches parameter name '?'


If I could I would - I'm stuck for the moment with what I have.
LVL 70

Expert Comment

ID: 40208781
My code above should work on PS 1.
becraig's line needs a pipe in front of the question mark:
Get-EventLog  -LogName Security | ? {$_.eventid -eq "538"} | get-member

Open in new window


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A brief introduction to what I consider to be the best editor for PowerShell.
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question