Solved

What is the PowerShell entry to record the 'event code ID message' to further define the event codes?

Posted on 2015-02-04
6
172 Views
Last Modified: 2015-02-05
Hello Expert,

Within the ForEach loop on Property item [9] I'd like to include the event code ID description in the output. Do you know what the input entry should be,  @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `, in-place of  'x'? I tried 'Message', 'Description' and 'Explanation' in-place of the 'x' variable but was unsuccessful to retrieve the desired results.

Thank you,
CuriousMAUser


 ========================================================================================
#
# NAME: WinEventID.ps1
#
# Modified: IT Staff
# Date: 03-Feb-2015
# Verison: PowerShell 4.0
# Client OS: Windows 7, Server OS: Windows 2008 R2
#
# DESCRIPTION:
# Retrieve event codes (ex. 4728 & 4729) to determine the breach of the unauthorized users
# Change event codes within the script to search for alternate security events
#
# Assumes the presence of Microsoft's ActiveDirectory PowerShell module.
# =========================================================================================
#
# Event Code 4728
#

Set-ExecutionPolicy remotesigned -Force
Import-module activedirectory

try{
 $SearchID='4728'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | ForEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
 }
#
# Event Code 4729
#
try{
 $SearchID='4729'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | ForEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
}
0
Comment
Question by:CuriousMAUser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 40589392
Try replacing
@{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
with
@{Name='Description';Expression={$psitem.Message}}
The name can be anything you want, it's the expression part that determines what goes into that calculated property.

BTW, you might want to check out the following article, which describes a method for adding all the values under the "Properties" property as named properties of the event object, that way you don't have to use things like $_.Properties[5].Value
http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx
0
 

Author Closing Comment

by:CuriousMAUser
ID: 40590982
Thank you.
0
 

Author Comment

by:CuriousMAUser
ID: 40591109
Hello FooTech,

At this link I've tried to mimic the code described to extract the XML into a csv files but receive errors. I feel like I'm floundering, any thoughts? Does the script below stand alone or append to an existing script?

http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx

# ==============================================================================================
#
# NAME: WinEventID.ps1
#
# Modified: IT Staff
# Date: 05-Feb-2015
# Verison: PowerShell 4.0
# Client OS: Windows 7
# Server OS: Windows 2008 R2
#
# DESCRIPTION:
# Retrieve event codes (ex. 4728 & 4729) to determine the breach of the unauthorized users
# Change event codes within the script to search for alternate security events
#
# Assumes the presence of Microsoft's ActiveDirectory PowerShell module.
# =============================================================================================
# Prompt for Credentials
 $cred = Get-Credential DomainName\admin

# Grab the events from a DC
 $Events = Get-WinEvent -ComputerName DomainController-DC01 -Credential $cred '
    -FilterHashTable @{Logname='Security';ID=4728} '

# Parse out the event message data
 
 ForEach ($Event in Events) {
  # Convert the event to XML
  $eventXML= [xml]$Event.ToXml()
  # Iterate through each one of the XML message properties
  For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++)
    # Append these as object properties
  Add-Member -InputObject $Event -MemberType NoteProperty -Force '
    -Name $eventXML.Event.EventData.Data[$i].name '
    -Value $eventXML.event.eventData.Data[$i].'#text'

 # View the results with your favorite output method
 $Events | export-csv C:\Scripts\SleepMedEventID.csv
 $Events | Select-Object * | Out-GridView
  }
}
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 

Author Comment

by:CuriousMAUser
ID: 40591125
Missing -

For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
0
 
LVL 40

Expert Comment

by:footech
ID: 40591761
It stands alone.
Looks like you have single-quotes (') at the end of a few lines where you should have backticks (`) for line continuation.  Change those, or just have each command on a single line so you don't have to worry about line continuation.
0
 

Author Comment

by:CuriousMAUser
ID: 40591820
Thank you, again, much better.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question