PowerShell script for Event IDs

Posted on 2014-07-18
Last Modified: 2014-07-30
Server 2003, PowerShell v1

I'm looking for a script that will show the number of a specific event IDs for a specific user in the Security logs over a specific time frame.

User1 and event ID 538 July 1, 2014 - July 9, 2014

Question by:xmouser
  • 3
  • 2
  • 2
LVL 29

Expert Comment

ID: 40205320
$events = Get-EventLog  -LogName "Security" -After 7/1/2014 -Before 7/9/2014 -source "<source>" | ? {$_.eventid -eq "538" -and $_.message -like "*user*"}
write-host $events.count

Open in new window

Of course a sample of the event would be good to know where the user info is captured, I only put in $_.message this migh be captured elsewhere

Author Comment

ID: 40205361
What would the source be?

Author Comment

ID: 40205365
Got it, the source is the user. Getting error message cannot be found parameter name 'after'.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 29

Expert Comment

ID: 40205398
Can you do me a quick favor, I am not in a place to duplicate a 538, can you run this and paste the output.

I will then be able to give you a script to do exactly what you need:

Get-EventLog  -LogName Security  ? {$_.eventid -eq "538"} | get-member

Open in new window

LVL 68

Accepted Solution

Qlemo earned 500 total points
ID: 40208704
You really should update to PS 2, the latest PS release for W2003. PS 1 has many restrictions and bugs, and one of them is that Get-EventLog doesn't allow for date boundaries to be provided as parameter.

EventID 538 is User Logoff (both interactive or over network), but has changed with Vista (?) to a different ID. The username is embedded in the text message, Not changing anything in your environment, this should work:
$User = 'User1'
$start = [datetime] '7/1/2014'
$end = [datetime] '7/9/2014'

  get-eventlog security |
    ? { $_.EventId -eq 538 -and  $_.TimeGenerated -ge $start -and $_.TimeGenerated -ls $end } |
    ? { $_.Message -like "*`tAdministrator*" }

Open in new window


Author Comment

ID: 40208759

A parameter cannot be found that matches parameter name '?'


If I could I would - I'm stuck for the moment with what I have.
LVL 68

Expert Comment

ID: 40208781
My code above should work on PS 1.
becraig's line needs a pipe in front of the question mark:
Get-EventLog  -LogName Security | ? {$_.eventid -eq "538"} | get-member

Open in new window


Featured Post

Can’t get the mobile email signature right?

Not having any luck when trying to create an email signature for mobile devices? Does the formatting keep messing up? Make sure you have great email signatures on all devices by using Exclaimer Cloud - Signatures for Office 365.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unable to remove HP CP1510 deployed printer 1 45
Server Backup on 2016 Essentials Box 1 40
exchange, outlook 2 29
How to Powershell Script 7 27
Microsoft Windows Server Update Service (WSUS) is free for everyone, but it lacks of some desirable features like send an e-mail to the administrator with the status of all computers on the WSUS server. This article is based on my PowerShell script …
A brief introduction to what I consider to be the best editor for PowerShell.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now