Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.
Course Of The Month
4 days, 6 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Modifying Powershell to display Security Event log statistics for multiple computer
Posted on 2016-09-15
People,
Can anyone here please assist me in how to configure the below script to run on multiple computers ?
When I execute the below script with the log name System it works with no issue, but when I modify it to Security, it does not work ?
Thanks in advance.
Can anyone here please assist me in how to configure the below script to run on multiple computers ?
Get-Content C:\Users\user\Documents\server_list.txt | ....
When I execute the below script with the log name System it works with no issue, but when I modify it to Security, it does not work ?
$logName = "Security"
#get date
$dateCurrent = Get-Date
#For the Week
$NDays = -7
$dateNDaysAgo = $dateCurrent.AddDays($NDays)
$logLevel = @("Critical", "Warning", "Error")
$logLevelCritical = "Critical"
$logLevelWarning = "Warning"
$logLevelError = "Error"
Write-Host "Log Entries since $dateNDaysAgo"
Get-WinEvent -Logname $logName | `
where-object {($_.timecreated -gt $date) -and ( ($_.levelDisplayName -eq $logLevelCritical) -or ($_.levelDisplayName -eq $logLevelWarning) -or ($_.levelDisplayName -eq $logLevelError) ) } | `
Group-Object ProviderName, levelDisplayName, ID | `
Sort-Object Count -descending | `
Format-Table Count, Name -auto
Thanks in advance.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
5-
4
2
11 Comments
Active 4 days ago
In security you mostly find only Information logs, which will be either Audit Success or Audit Failed. So you may not get any result with current code.
Active today
Ah I see,
So which section should be modified to reflect success or failure ?
And how to make it working for multiple server object ?
So which section should be modified to reflect success or failure ?
And how to make it working for multiple server object ?
Active 4 days ago
Filter using KeywordsDisplayNames
But It's depends what you trying to looks for.. There might be Error/warnings in security log but it's rare. If you want to capture the count for Audit success and failure its possible..
?{$_.KeywordsDisplayNames -match "Audit Failed"}
or
?{$_.KeywordsDisplayNames -match "Audit Success"}
But It's depends what you trying to looks for.. There might be Error/warnings in security log but it's rare. If you want to capture the count for Audit success and failure its possible..
Active today
Any consideration to consolidate a central repository for the logs, eventlog-forwarder this way you need not have so much local storage allocated ........
and to others point, by the time you run the script, the event could be long gone.
Using SNMP, you can have the events of interest to you proactively appear and generate notification.
While at the same time logging, recording the events in a database, etc......
splunk is one such tool that can pull data from multipe....
and to others point, by the time you run the script, the event could be long gone.
Using SNMP, you can have the events of interest to you proactively appear and generate notification.
While at the same time logging, recording the events in a database, etc......
splunk is one such tool that can pull data from multipe....
Active today
Thanks SUbsun, I will give it a try now.
Arnold, Splunk is not free for anything larger than 1 GB. So is there any builtin Microsoft features that can do this event forwarding and notification ?
Arnold, Splunk is not free for anything larger than 1 GB. So is there any builtin Microsoft features that can do this event forwarding and notification ?
Active today
@Subsun:
it does not work when I tried in my local PC:
There is no result displayed ?
it does not work when I tried in my local PC:
$logName = "Security"
#get date
$dateCurrent = Get-Date
#For the Week
$NDays = -7
$dateNDaysAgo = $dateCurrent.AddDays($NDays)
$logLevel = @("Critical", "Warning", "Error")
$logLevelCritical = "Critical"
$logLevelWarning = "Warning"
$logLevelError = "Error"
Write-Host "Log Entries since $dateNDaysAgo"
Get-WinEvent -Logname $logName | `
Where-Object {($_.timecreated -gt $date) -and ( ?{$_.KeywordsDisplayNames -match "Audit Failed"} ) } | `
Group-Object ProviderName, KeywordsDisplayNames, ID | `
Sort-Object Count -descending | `
Format-Table Count, Name -auto
There is no result displayed ?
Active today
Yes, splunk does what your powershell script....
The data aggregation is done using event forwarding, subscriptions.......
as long as you have a Windows 2008 or newer,
There are more detail through a search coming from the splunk site
Here is MS's basics steps.
https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx
Dism /online /enable-feature:SNMP
Dism /online /enable-feature:WMIProvide
This will install/activate SNMP and wmi over snmp
You would need to configure one system as an SNMPTRP destination(the one where you plan running this powershell script
Evntwin is the graphical interface to specify which event shoul be sent via snmptrap.
You can select which options you want, then export
If you have the set, you can use evntcmd to load the exported data versus going through the GUI one system at a time.
Using GPO one can push all related SNMP destination, read community, to all AD computers..
The use of evntcmd in a computer configuration as a startup script ........ You can distribute these settings...
The data aggregation is done using event forwarding, subscriptions.......
as long as you have a Windows 2008 or newer,
There are more detail through a search coming from the splunk site
Here is MS's basics steps.
https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx
Dism /online /enable-feature:SNMP
Dism /online /enable-feature:WMIProvide
This will install/activate SNMP and wmi over snmp
You would need to configure one system as an SNMPTRP destination(the one where you plan running this powershell script
Evntwin is the graphical interface to specify which event shoul be sent via snmptrap.
You can select which options you want, then export
If you have the set, you can use evntcmd to load the exported data versus going through the GUI one system at a time.
Using GPO one can push all related SNMP destination, read community, to all AD computers..
The use of evntcmd in a computer configuration as a startup script ........ You can distribute these settings...
Active 4 days ago
Made some changes.. Try this..
$logName = "Security"
#get date
$dateCurrent = Get-Date
#For the Week
$NDays = -7
$dateNDaysAgo = $dateCurrent.AddDays($NDays)
Write-Host "Log Entries since $dateNDaysAgo"
Get-WinEvent -Logname $logName |
Where-Object {$_.timecreated -gt $dateNDaysAgo -and $_.KeywordsDisplayNames -match "Audit Failure"} |
Group-Object ProviderName,KeywordsDisplayNames,ID |
Sort-Object Count -descending |
Format-Table Count,Name -Auto
Active today
Subsun,
Thanks for the reply, however, the script does not work when I execute in my Powershell ISE on my laptop as well as the server logging in as DOMAIN\Administrator.
Thanks for the reply, however, the script does not work when I execute in my Powershell ISE on my laptop as well as the server logging in as DOMAIN\Administrator.
Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation..
At line:12 char:1
+ Get-WinEvent -Logname $logName |
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
Get-WinEvent : There is not an event log on the localhost computer that matches "Security".
At line:12 char:1
+ Get-WinEvent -Logname $logName |
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Security:String) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingLogsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
Active 4 days ago
Use Run as Administrator option to open ISE or PowerShell console.
and if you want to make it bit faster, use -FilterHashtable parameter, instead of where-object
https://blogs.technet.microsoft.com/heyscriptingguy/2014/06/03/use-filterhashtable-to-filter-event-log-with-powershell/
and if you want to make it bit faster, use -FilterHashtable parameter, instead of where-object
$logName = "Security"
#get date
$dateCurrent = Get-Date
#For the Week
$NDays = -1
$dateNDaysAgo = $dateCurrent.AddDays($NDays)
Write-Host "Log Entries since $dateNDaysAgo"
$Key = [System.Diagnostics.Eventing.Reader.StandardEventKeywords]::AuditFailure
Get-WinEvent -FilterHashtable @{StartTime=$dateNDaysAgo;Logname=$logName;Keywords=$Key.value__} |
Group-Object ProviderName,KeywordsDisplayNames,ID |
Sort-Object Count -descending |
Format-Table Count,Name -Auto
https://blogs.technet.microsoft.com/heyscriptingguy/2014/06/03/use-filterhashtable-to-filter-event-log-with-powershell/
Featured Post
If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
A hard and fast method for reducing Active Directory Administrators members.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP, Windows Server…
- Ransomware
- Experts Exchange
- Windows XP
- Windows OS
- Windows Server 2008
- Windows Server 2003, Security
This Micro Tutorial hows how you can integrate Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease.
The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month4 days, 6 hours left to enroll
687 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.