Solved

What is the PowerShell entry to record the 'event code ID message' to further define the event codes?

Posted on 2015-02-04
6
162 Views
Last Modified: 2015-02-05
Hello Expert,

Within the ForEach loop on Property item [9] I'd like to include the event code ID description in the output. Do you know what the input entry should be,  @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `, in-place of  'x'? I tried 'Message', 'Description' and 'Explanation' in-place of the 'x' variable but was unsuccessful to retrieve the desired results.

Thank you,
CuriousMAUser


 ========================================================================================
#
# NAME: WinEventID.ps1
#
# Modified: IT Staff
# Date: 03-Feb-2015
# Verison: PowerShell 4.0
# Client OS: Windows 7, Server OS: Windows 2008 R2
#
# DESCRIPTION:
# Retrieve event codes (ex. 4728 & 4729) to determine the breach of the unauthorized users
# Change event codes within the script to search for alternate security events
#
# Assumes the presence of Microsoft's ActiveDirectory PowerShell module.
# =========================================================================================
#
# Event Code 4728
#

Set-ExecutionPolicy remotesigned -Force
Import-module activedirectory

try{
 $SearchID='4728'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | ForEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
 }
#
# Event Code 4729
#
try{
 $SearchID='4729'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | ForEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
}
0
Comment
Question by:CuriousMAUser
  • 4
  • 2
6 Comments
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 40589392
Try replacing
@{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
with
@{Name='Description';Expression={$psitem.Message}}
The name can be anything you want, it's the expression part that determines what goes into that calculated property.

BTW, you might want to check out the following article, which describes a method for adding all the values under the "Properties" property as named properties of the event object, that way you don't have to use things like $_.Properties[5].Value
http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx
0
 

Author Closing Comment

by:CuriousMAUser
ID: 40590982
Thank you.
0
 

Author Comment

by:CuriousMAUser
ID: 40591109
Hello FooTech,

At this link I've tried to mimic the code described to extract the XML into a csv files but receive errors. I feel like I'm floundering, any thoughts? Does the script below stand alone or append to an existing script?

http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx

# ==============================================================================================
#
# NAME: WinEventID.ps1
#
# Modified: IT Staff
# Date: 05-Feb-2015
# Verison: PowerShell 4.0
# Client OS: Windows 7
# Server OS: Windows 2008 R2
#
# DESCRIPTION:
# Retrieve event codes (ex. 4728 & 4729) to determine the breach of the unauthorized users
# Change event codes within the script to search for alternate security events
#
# Assumes the presence of Microsoft's ActiveDirectory PowerShell module.
# =============================================================================================
# Prompt for Credentials
 $cred = Get-Credential DomainName\admin

# Grab the events from a DC
 $Events = Get-WinEvent -ComputerName DomainController-DC01 -Credential $cred '
    -FilterHashTable @{Logname='Security';ID=4728} '

# Parse out the event message data
 
 ForEach ($Event in Events) {
  # Convert the event to XML
  $eventXML= [xml]$Event.ToXml()
  # Iterate through each one of the XML message properties
  For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++)
    # Append these as object properties
  Add-Member -InputObject $Event -MemberType NoteProperty -Force '
    -Name $eventXML.Event.EventData.Data[$i].name '
    -Value $eventXML.event.eventData.Data[$i].'#text'

 # View the results with your favorite output method
 $Events | export-csv C:\Scripts\SleepMedEventID.csv
 $Events | Select-Object * | Out-GridView
  }
}
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:CuriousMAUser
ID: 40591125
Missing -

For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
0
 
LVL 39

Expert Comment

by:footech
ID: 40591761
It stands alone.
Looks like you have single-quotes (') at the end of a few lines where you should have backticks (`) for line continuation.  Change those, or just have each command on a single line so you don't have to worry about line continuation.
0
 

Author Comment

by:CuriousMAUser
ID: 40591820
Thank you, again, much better.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
A procedure for exporting installed hotfix details of remote computers using powershell
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now