Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Modifying PowerShell script to get the Security logs for user Domain\Administrator from all AD domain controllers ?

Posted on 2016-09-11
8
Medium Priority
?
511 Views
Last Modified: 2016-09-12
Hi All,

I've managed to found this script (by SubSun), which sift through the Event logs for the Terminal Server:

Get-WinEvent -ComputerName PRODTS03-VM -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";StartTime=(get-date).AddDays(-1);ID=1149} | %{
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | ft -AutoSize

Open in new window


So I wonder if it is can be configured / modified to filter the Security event ID 4624 only for the user DOMAIN\Administrator like below example events:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/09/2016 12:45:25 PM
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      PRODDC01-VM.domain.com
Description:
An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		MyDomain\Office.Manager
	Account Name:		Office.Manager
	Account Domain:		MyDomain
	Logon ID:		0xf99126a2
	Logon GUID:		{a5bf47f4-d53a-6ff9-2139-a4ceb9e5b284}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	10.188.5.34
	Source Port:		60358

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Open in new window


I need to know the:
        Keywords: Audit Success
        Logon Type: 3
        Date: 12/09/2016 12:45:25 PM
        Security ID: Domain\Administrator
      Source Network Address: 10.188.5.199

Is that possible to customize the script above ?
0
Comment
  • 4
  • 2
  • 2
8 Comments
 
LVL 37

Assisted Solution

by:bbao
bbao earned 400 total points
ID: 41793632
I would use MS utility Log Parser rathan speed hours to write and debug a script. the utility is well recognised and compatible with most Windows logging sources including Windows Event Logs.

your query criteria can be easily done using Log Paraer's SQL-like querying language.

You may download lownload MS Log Parser here:

https://www.microsoft.com/en-au/download/details.aspx?id=24659

FYI -

https://technet.microsoft.com/en-au/scriptcenter/dd919274.aspx
1
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41793653
Bing,

There is no GUI with Log Parser and the command to select all domain controllers in the domain with specific event logs is hard to find on the Intenret as well.

But yes, thanks anyway for the response.
0
 
LVL 37

Expert Comment

by:bbao
ID: 41793660
sorry for the typo, just noticed that. typing on touch screen is still a pain for me. correct the typo below though I guess you already know the meaning. :)

"I would use MS utility Log Parser rather than spend hours to write and debug a script."

as I remember there a few GUI versions though they are still based on the utility's command line to run queries.

actually in my understanding, it should be easier to use Log Parser command line to query from multiple servers.
1
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 41

Accepted Solution

by:
footech earned 1600 total points
ID: 41794977
This should do it for your specific need.
Get-WinEvent -ComputerName PRODTS03-VM -FilterHashTable @{LogName="Security";StartTime=(get-date).AddDays(-1);ID=4624;data="administrator"} | % {
    New-Object PSObject -Property @{
        MachineName = $_.MachineName
        TimeCreated = $_.TimeCreated
        User = $_.Properties[5].Value            
        Domain = $_.Properties[6].Value
        LogonType = $_.Properties[8].Value      
        SourceIP = $_.Properties[18].Value
        Keywords = $_.KeywordsDisplayNames -join ";"
        }
} | Select MachineName,TimeCreated,User,Domain,LogonType,SourceIP,Keywords | ft

Open in new window


I added searching for "administrator" in the event message within the filterhashtable parameter.  It's not necessary but it speeds up filtering of the desired events significantly in this case.

The trick is pulling just the desired info out of the event properties, as the data contained (and where) can change with each different type of event.  A more flexible method is to use something like what is described on this page:
https://blogs.technet.microsoft.com/ashleymcglone/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs/
1
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41795244
@Footech, many thanks for the script mate,

is it possible to combine the script above with:

Get-ADDomainController -Filter * | Select-Object name | Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security";StartTime=(get-date).AddDays(-1);ID=4624;data="administrator"} | % {
    New-Object PSObject -Property @{
        MachineName = $_.MachineName
        TimeCreated = $_.TimeCreated
        User = $_.Properties[5].Value            
        Domain = $_.Properties[6].Value
        LogonType = $_.Properties[8].Value      
        SourceIP = $_.Properties[18].Value
        Keywords = $_.KeywordsDisplayNames -join ";"
        }
} | Select MachineName,TimeCreated,User,Domain,LogonType,SourceIP,Keywords | ft

Open in new window

0
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 41795257
Thanks !
0
 
LVL 41

Expert Comment

by:footech
ID: 41795266
Sure.
Get-ADDomainController -Filter * | Select-Object -expand name | % {
  Get-WinEvent -ComputerName $_ -FilterHashTable @{LogName="Security";StartTime=(get-date).AddDays(-1);ID=4624;data="administrator"} | % {
    New-Object PSObject -Property @{
        MachineName = $_.MachineName
        TimeCreated = $_.TimeCreated
        User = $_.Properties[5].Value            
        Domain = $_.Properties[6].Value
        LogonType = $_.Properties[8].Value      
        SourceIP = $_.Properties[18].Value
        Keywords = $_.KeywordsDisplayNames -join ";"
        }
  }
} | Select MachineName,TimeCreated,User,Domain,LogonType,SourceIP,Keywords | ft

Open in new window

1
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41795272
You are so awesome ;-)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question