Solved

Modifying Powershell to display Security Event log statistics for multiple computer

Posted on 2016-09-15
11
39 Views
Last Modified: 2016-10-05
People,

Can anyone here please assist me in how to configure the below script to run on multiple computers ?

Get-Content C:\Users\user\Documents\server_list.txt | ....

Open in new window


When I execute the below script with the log name System it works with no issue, but when I modify it to Security, it does not work ?

$logName = "Security"

#get date
$dateCurrent = Get-Date

#For the Week
$NDays = -7
$dateNDaysAgo = $dateCurrent.AddDays($NDays)

$logLevel = @("Critical", "Warning", "Error")
$logLevelCritical = "Critical"
$logLevelWarning = "Warning"
$logLevelError = "Error"

Write-Host "Log Entries since $dateNDaysAgo"

Get-WinEvent -Logname $logName  | `
where-object {($_.timecreated -gt $date) -and ( ($_.levelDisplayName -eq $logLevelCritical) -or ($_.levelDisplayName -eq $logLevelWarning) -or ($_.levelDisplayName -eq $logLevelError) )  } | `
Group-Object ProviderName, levelDisplayName, ID | `
Sort-Object Count -descending | `
Format-Table Count, Name -auto

Open in new window


Thanks in advance.
0
Comment
  • 5
  • 4
  • 2
11 Comments
 
LVL 40

Expert Comment

by:Subsun
Comment Utility
In security you mostly find only Information logs, which will be either Audit Success or Audit Failed. So you may not get any result with current code.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Ah I see,

So which section should be modified to reflect success or failure ?

And how to make it working for multiple server object ?
0
 
LVL 40

Expert Comment

by:Subsun
Comment Utility
Filter using KeywordsDisplayNames
?{$_.KeywordsDisplayNames -match "Audit Failed"}

or

?{$_.KeywordsDisplayNames -match "Audit Success"}

Open in new window


But It's depends what you trying to looks for.. There might be Error/warnings in security log but it's rare. If you want to capture the count for Audit success and failure its possible..
1
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Any consideration to consolidate a central repository for the logs, eventlog-forwarder this way you need not have so much local storage allocated ........
and to others point, by the time you run the script, the event could be long gone.

Using SNMP, you can have the events of interest to you proactively appear and generate notification.
While at the same time logging, recording the events in a database, etc......


splunk is one such tool that can pull data from multipe....
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Thanks SUbsun, I will give it a try now.

Arnold, Splunk is not free for anything larger than 1 GB. So is there any builtin Microsoft features that can do this event forwarding and notification ?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
@Subsun:

it does not work when I tried in my local PC:

$logName = "Security"

#get date
$dateCurrent = Get-Date

#For the Week
$NDays = -7
$dateNDaysAgo = $dateCurrent.AddDays($NDays)

$logLevel = @("Critical", "Warning", "Error")
$logLevelCritical = "Critical"
$logLevelWarning = "Warning"
$logLevelError = "Error"

Write-Host "Log Entries since $dateNDaysAgo"

Get-WinEvent -Logname $logName  | `
	Where-Object {($_.timecreated -gt $date) -and ( ?{$_.KeywordsDisplayNames -match "Audit Failed"} )  } | `
	Group-Object ProviderName, KeywordsDisplayNames, ID | `
	Sort-Object Count -descending | `
	Format-Table Count, Name -auto

Open in new window


There is no result displayed ?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Yes, splunk does what your powershell script....
The data aggregation is done using event forwarding, subscriptions.......

as long as you have a Windows 2008 or newer,
There are more detail through a search coming from the splunk site
Here is MS's basics steps.
https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx

Dism /online /enable-feature:SNMP
Dism /online /enable-feature:WMIProvider

This will install/activate SNMP and wmi over snmp
You would need to configure one system as an SNMPTRP destination(the one where you plan running this powershell script

Evntwin is the graphical interface to specify which event shoul be sent via snmptrap.
You can select which options you want, then export
If you have the set, you can use evntcmd to load the exported data versus going through the GUI one system at a time.

Using GPO one can push all related SNMP destination, read community, to all AD computers..
The use of evntcmd in a computer configuration as a startup script ........ You can distribute these settings...
0
 
LVL 40

Expert Comment

by:Subsun
Comment Utility
Made some changes.. Try this..
$logName = "Security"

#get date
$dateCurrent = Get-Date

#For the Week
$NDays = -7
$dateNDaysAgo = $dateCurrent.AddDays($NDays)

Write-Host "Log Entries since $dateNDaysAgo"

Get-WinEvent -Logname $logName |
	Where-Object {$_.timecreated -gt $dateNDaysAgo -and $_.KeywordsDisplayNames -match "Audit Failure"} | 
	Group-Object ProviderName,KeywordsDisplayNames,ID |
	Sort-Object Count -descending |
	Format-Table Count,Name -Auto

Open in new window

1
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Subsun,

Thanks for the reply, however, the script does not work when I execute in my Powershell ISE on my laptop as well as the server logging in as DOMAIN\Administrator.

Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation..
At line:12 char:1
+ Get-WinEvent -Logname $logName |
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : There is not an event log on the localhost computer that matches "Security".
At line:12 char:1
+ Get-WinEvent -Logname $logName |
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Security:String) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingLogsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window

0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points (awarded by participants)
Comment Utility
Use Run as Administrator option to open ISE or PowerShell console.

and if you want to make it bit faster, use -FilterHashtable parameter, instead of where-object
$logName = "Security"

#get date
$dateCurrent = Get-Date

#For the Week
$NDays = -1
$dateNDaysAgo = $dateCurrent.AddDays($NDays)

Write-Host "Log Entries since $dateNDaysAgo"
$Key = [System.Diagnostics.Eventing.Reader.StandardEventKeywords]::AuditFailure
Get-WinEvent -FilterHashtable @{StartTime=$dateNDaysAgo;Logname=$logName;Keywords=$Key.value__}  |
	Group-Object ProviderName,KeywordsDisplayNames,ID |
	Sort-Object Count -descending |
	Format-Table Count,Name -Auto

Open in new window

Read following article for more details..
https://blogs.technet.microsoft.com/heyscriptingguy/2014/06/03/use-filterhashtable-to-filter-event-log-with-powershell/
1
 
LVL 40

Expert Comment

by:Subsun
Comment Utility
Script should suffice the requirement.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now