Solved

PowerShell script modification Get-WinEvent from multiple servers ?

Posted on 2016-09-15
3
23 Views
Last Modified: 2016-10-04
People,

I request some assistance in getting security event logs from multiple remote servers. I've had success with the Application and System logs, but the Security logs are too large to work practically in the same manner.

Here is what I'm using for a successful Application log:
$StartTime = (get-date).adddays(-1)
$Credential = Get-Credential
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-WinEvent -ComputerName $_ -Credential $Credential -FilterHashTable @{LogName='Application';StartTime=$StartTime} 
| ?{$_.LevelDisplayName -eq "Error" -or $_.LevelDisplayName -eq "Warning"} 
| select machinename,timecreated,id,level,message
} | Export-Csv "C:\Users\user\Documents\App_logs.csv"

Open in new window


I couldn't find a way to filter for those properties with Get-WinEvent and numerous other posts suggested using Get-EventLog for the Security log.

Here is what I have so far. This first part appears to work correctly:
$StartTime = (get-date).adddays(-1)
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-EventLog Security -ComputerName $_ -After $StartTime -EntryType Error,FailureAudit,Warning
} | Export-Clixml "C:\Users\user\Documents\Test_Sec_logs.xml"

Open in new window


The problem with this output is the output doesn't appear organized in a human-readable fashion. For instance, the first event it pulls will have roughly 15 lines and 15 columns and data all over. Then it repeats for the next event.

Thanks in advance.
0
Comment
  • 2
3 Comments
 
LVL 40

Accepted Solution

by:
Subsun earned 250 total points (awarded by participants)
ID: 41799708
Like I said In security you mostly find only Information logs, which will be either Audit Success or Audit Failed. You may get Error/warnings  in security log but it's rare, may be if something is wrong with Event processing or like that..
0
 
LVL 39

Assisted Solution

by:footech
footech earned 250 total points (awarded by participants)
ID: 41800165
I've never seen a recommendation to use Get-EventLog over Get-WinEvent unless you're accessing older systems.  The reason is you can filter much faster with Get-WinEvent, rather than relying on post-filtering with Where-Object or other methods.
$StartTime = (get-date).adddays(-1)
$Credential = Get-Credential
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-WinEvent -ComputerName $_ -Credential $Credential -FilterHashTable @{LogName='Security';StartTime=$StartTime;Level=2,3} |
 select machinename,timecreated,id,level,message
} | Export-Csv "C:\Users\user\Documents\Sec_logs.csv"

Open in new window

Pretty much everything in the Security log is level 0.
1
 
LVL 40

Expert Comment

by:Subsun
ID: 41827721
Reason for not getting the desired result is there is no Error/warnings  in security log.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
This article will help you understand what HashTables are and how to use them in PowerShell.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now