Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 299
  • Last Modified:

PowerShell script for Event IDs

Server 2003, PowerShell v1

I'm looking for a script that will show the number of a specific event IDs for a specific user in the Security logs over a specific time frame.

User1 and event ID 538 July 1, 2014 - July 9, 2014

Possible?
0
xmouser
Asked:
xmouser
  • 3
  • 2
  • 2
1 Solution
 
becraigCommented:
$events = Get-EventLog  -LogName "Security" -After 7/1/2014 -Before 7/9/2014 -source "<source>" | ? {$_.eventid -eq "538" -and $_.message -like "*user*"}
write-host $events.count

Open in new window



Of course a sample of the event would be good to know where the user info is captured, I only put in $_.message this migh be captured elsewhere
0
 
xmouserAuthor Commented:
What would the source be?
0
 
xmouserAuthor Commented:
Got it, the source is the user. Getting error message cannot be found parameter name 'after'.
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
becraigCommented:
Can you do me a quick favor, I am not in a place to duplicate a 538, can you run this and paste the output.

I will then be able to give you a script to do exactly what you need:

Get-EventLog  -LogName Security  ? {$_.eventid -eq "538"} | get-member

Open in new window

0
 
QlemoC++ DeveloperCommented:
You really should update to PS 2, the latest PS release for W2003. PS 1 has many restrictions and bugs, and one of them is that Get-EventLog doesn't allow for date boundaries to be provided as parameter.

EventID 538 is User Logoff (both interactive or over network), but has changed with Vista (?) to a different ID. The username is embedded in the text message, Not changing anything in your environment, this should work:
$User = 'User1'
$start = [datetime] '7/1/2014'
$end = [datetime] '7/9/2014'

@(
  get-eventlog security |
    ? { $_.EventId -eq 538 -and  $_.TimeGenerated -ge $start -and $_.TimeGenerated -ls $end } |
    ? { $_.Message -like "*`tAdministrator*" }
).count

Open in new window

0
 
xmouserAuthor Commented:
becraig

A parameter cannot be found that matches parameter name '?'

Qlemo

If I could I would - I'm stuck for the moment with what I have.
0
 
QlemoC++ DeveloperCommented:
My code above should work on PS 1.
becraig's line needs a pipe in front of the question mark:
Get-EventLog  -LogName Security | ? {$_.eventid -eq "538"} | get-member

Open in new window

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now