PowerShell script modification Get-WinEvent from multiple servers ?

Posted on 2016-09-15
Last Modified: 2016-10-04

I request some assistance in getting security event logs from multiple remote servers. I've had success with the Application and System logs, but the Security logs are too large to work practically in the same manner.

Here is what I'm using for a successful Application log:
$StartTime = (get-date).adddays(-1)
$Credential = Get-Credential
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-WinEvent -ComputerName $_ -Credential $Credential -FilterHashTable @{LogName='Application';StartTime=$StartTime} 
| ?{$_.LevelDisplayName -eq "Error" -or $_.LevelDisplayName -eq "Warning"} 
| select machinename,timecreated,id,level,message
} | Export-Csv "C:\Users\user\Documents\App_logs.csv"

Open in new window

I couldn't find a way to filter for those properties with Get-WinEvent and numerous other posts suggested using Get-EventLog for the Security log.

Here is what I have so far. This first part appears to work correctly:
$StartTime = (get-date).adddays(-1)
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-EventLog Security -ComputerName $_ -After $StartTime -EntryType Error,FailureAudit,Warning
} | Export-Clixml "C:\Users\user\Documents\Test_Sec_logs.xml"

Open in new window

The problem with this output is the output doesn't appear organized in a human-readable fashion. For instance, the first event it pulls will have roughly 15 lines and 15 columns and data all over. Then it repeats for the next event.

Thanks in advance.
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 40

Accepted Solution

Subsun earned 250 total points (awarded by participants)
ID: 41799708
Like I said In security you mostly find only Information logs, which will be either Audit Success or Audit Failed. You may get Error/warnings  in security log but it's rare, may be if something is wrong with Event processing or like that..
LVL 40

Assisted Solution

footech earned 250 total points (awarded by participants)
ID: 41800165
I've never seen a recommendation to use Get-EventLog over Get-WinEvent unless you're accessing older systems.  The reason is you can filter much faster with Get-WinEvent, rather than relying on post-filtering with Where-Object or other methods.
$StartTime = (get-date).adddays(-1)
$Credential = Get-Credential
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-WinEvent -ComputerName $_ -Credential $Credential -FilterHashTable @{LogName='Security';StartTime=$StartTime;Level=2,3} |
 select machinename,timecreated,id,level,message
} | Export-Csv "C:\Users\user\Documents\Sec_logs.csv"

Open in new window

Pretty much everything in the Security log is level 0.
LVL 40

Expert Comment

ID: 41827721
Reason for not getting the desired result is there is no Error/warnings  in security log.

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

742 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question