Solved

What is the PowerShell entry to record the 'event code ID message' to further define the event codes?

Posted on 2015-02-04
6
167 Views
Last Modified: 2015-02-05
Hello Expert,

Within the ForEach loop on Property item [9] I'd like to include the event code ID description in the output. Do you know what the input entry should be,  @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `, in-place of  'x'? I tried 'Message', 'Description' and 'Explanation' in-place of the 'x' variable but was unsuccessful to retrieve the desired results.

Thank you,
CuriousMAUser


 ========================================================================================
#
# NAME: WinEventID.ps1
#
# Modified: IT Staff
# Date: 03-Feb-2015
# Verison: PowerShell 4.0
# Client OS: Windows 7, Server OS: Windows 2008 R2
#
# DESCRIPTION:
# Retrieve event codes (ex. 4728 & 4729) to determine the breach of the unauthorized users
# Change event codes within the script to search for alternate security events
#
# Assumes the presence of Microsoft's ActiveDirectory PowerShell module.
# =========================================================================================
#
# Event Code 4728
#

Set-ExecutionPolicy remotesigned -Force
Import-module activedirectory

try{
 $SearchID='4728'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | ForEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
 }
#
# Event Code 4729
#
try{
 $SearchID='4729'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | ForEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
}
0
Comment
Question by:CuriousMAUser
  • 4
  • 2
6 Comments
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 40589392
Try replacing
@{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
with
@{Name='Description';Expression={$psitem.Message}}
The name can be anything you want, it's the expression part that determines what goes into that calculated property.

BTW, you might want to check out the following article, which describes a method for adding all the values under the "Properties" property as named properties of the event object, that way you don't have to use things like $_.Properties[5].Value
http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx
0
 

Author Closing Comment

by:CuriousMAUser
ID: 40590982
Thank you.
0
 

Author Comment

by:CuriousMAUser
ID: 40591109
Hello FooTech,

At this link I've tried to mimic the code described to extract the XML into a csv files but receive errors. I feel like I'm floundering, any thoughts? Does the script below stand alone or append to an existing script?

http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx

# ==============================================================================================
#
# NAME: WinEventID.ps1
#
# Modified: IT Staff
# Date: 05-Feb-2015
# Verison: PowerShell 4.0
# Client OS: Windows 7
# Server OS: Windows 2008 R2
#
# DESCRIPTION:
# Retrieve event codes (ex. 4728 & 4729) to determine the breach of the unauthorized users
# Change event codes within the script to search for alternate security events
#
# Assumes the presence of Microsoft's ActiveDirectory PowerShell module.
# =============================================================================================
# Prompt for Credentials
 $cred = Get-Credential DomainName\admin

# Grab the events from a DC
 $Events = Get-WinEvent -ComputerName DomainController-DC01 -Credential $cred '
    -FilterHashTable @{Logname='Security';ID=4728} '

# Parse out the event message data
 
 ForEach ($Event in Events) {
  # Convert the event to XML
  $eventXML= [xml]$Event.ToXml()
  # Iterate through each one of the XML message properties
  For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++)
    # Append these as object properties
  Add-Member -InputObject $Event -MemberType NoteProperty -Force '
    -Name $eventXML.Event.EventData.Data[$i].name '
    -Value $eventXML.event.eventData.Data[$i].'#text'

 # View the results with your favorite output method
 $Events | export-csv C:\Scripts\SleepMedEventID.csv
 $Events | Select-Object * | Out-GridView
  }
}
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:CuriousMAUser
ID: 40591125
Missing -

For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
0
 
LVL 40

Expert Comment

by:footech
ID: 40591761
It stands alone.
Looks like you have single-quotes (') at the end of a few lines where you should have backticks (`) for line continuation.  Change those, or just have each command on a single line so you don't have to worry about line continuation.
0
 

Author Comment

by:CuriousMAUser
ID: 40591820
Thank you, again, much better.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question