Solved

What is the PowerShell entry to record the 'event code ID message' to further define the event codes?

Posted on 2015-02-04
6
170 Views
Last Modified: 2015-02-05
Hello Expert,

Within the ForEach loop on Property item [9] I'd like to include the event code ID description in the output. Do you know what the input entry should be,  @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `, in-place of  'x'? I tried 'Message', 'Description' and 'Explanation' in-place of the 'x' variable but was unsuccessful to retrieve the desired results.

Thank you,
CuriousMAUser


 ========================================================================================
#
# NAME: WinEventID.ps1
#
# Modified: IT Staff
# Date: 03-Feb-2015
# Verison: PowerShell 4.0
# Client OS: Windows 7, Server OS: Windows 2008 R2
#
# DESCRIPTION:
# Retrieve event codes (ex. 4728 & 4729) to determine the breach of the unauthorized users
# Change event codes within the script to search for alternate security events
#
# Assumes the presence of Microsoft's ActiveDirectory PowerShell module.
# =========================================================================================
#
# Event Code 4728
#

Set-ExecutionPolicy remotesigned -Force
Import-module activedirectory

try{
 $SearchID='4728'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | ForEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
 }
#
# Event Code 4729
#
try{
 $SearchID='4729'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | ForEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
}
0
Comment
Question by:CuriousMAUser
  • 4
  • 2
6 Comments
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 40589392
Try replacing
@{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
with
@{Name='Description';Expression={$psitem.Message}}
The name can be anything you want, it's the expression part that determines what goes into that calculated property.

BTW, you might want to check out the following article, which describes a method for adding all the values under the "Properties" property as named properties of the event object, that way you don't have to use things like $_.Properties[5].Value
http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx
0
 

Author Closing Comment

by:CuriousMAUser
ID: 40590982
Thank you.
0
 

Author Comment

by:CuriousMAUser
ID: 40591109
Hello FooTech,

At this link I've tried to mimic the code described to extract the XML into a csv files but receive errors. I feel like I'm floundering, any thoughts? Does the script below stand alone or append to an existing script?

http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx

# ==============================================================================================
#
# NAME: WinEventID.ps1
#
# Modified: IT Staff
# Date: 05-Feb-2015
# Verison: PowerShell 4.0
# Client OS: Windows 7
# Server OS: Windows 2008 R2
#
# DESCRIPTION:
# Retrieve event codes (ex. 4728 & 4729) to determine the breach of the unauthorized users
# Change event codes within the script to search for alternate security events
#
# Assumes the presence of Microsoft's ActiveDirectory PowerShell module.
# =============================================================================================
# Prompt for Credentials
 $cred = Get-Credential DomainName\admin

# Grab the events from a DC
 $Events = Get-WinEvent -ComputerName DomainController-DC01 -Credential $cred '
    -FilterHashTable @{Logname='Security';ID=4728} '

# Parse out the event message data
 
 ForEach ($Event in Events) {
  # Convert the event to XML
  $eventXML= [xml]$Event.ToXml()
  # Iterate through each one of the XML message properties
  For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++)
    # Append these as object properties
  Add-Member -InputObject $Event -MemberType NoteProperty -Force '
    -Name $eventXML.Event.EventData.Data[$i].name '
    -Value $eventXML.event.eventData.Data[$i].'#text'

 # View the results with your favorite output method
 $Events | export-csv C:\Scripts\SleepMedEventID.csv
 $Events | Select-Object * | Out-GridView
  }
}
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:CuriousMAUser
ID: 40591125
Missing -

For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
0
 
LVL 40

Expert Comment

by:footech
ID: 40591761
It stands alone.
Looks like you have single-quotes (') at the end of a few lines where you should have backticks (`) for line continuation.  Change those, or just have each command on a single line so you don't have to worry about line continuation.
0
 

Author Comment

by:CuriousMAUser
ID: 40591820
Thank you, again, much better.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question