Solved

PowerShell script modification Get-WinEvent from multiple servers ?

Posted on 2016-09-15
3
46 Views
Last Modified: 2016-10-04
People,

I request some assistance in getting security event logs from multiple remote servers. I've had success with the Application and System logs, but the Security logs are too large to work practically in the same manner.

Here is what I'm using for a successful Application log:
$StartTime = (get-date).adddays(-1)
$Credential = Get-Credential
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-WinEvent -ComputerName $_ -Credential $Credential -FilterHashTable @{LogName='Application';StartTime=$StartTime} 
| ?{$_.LevelDisplayName -eq "Error" -or $_.LevelDisplayName -eq "Warning"} 
| select machinename,timecreated,id,level,message
} | Export-Csv "C:\Users\user\Documents\App_logs.csv"

Open in new window


I couldn't find a way to filter for those properties with Get-WinEvent and numerous other posts suggested using Get-EventLog for the Security log.

Here is what I have so far. This first part appears to work correctly:
$StartTime = (get-date).adddays(-1)
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-EventLog Security -ComputerName $_ -After $StartTime -EntryType Error,FailureAudit,Warning
} | Export-Clixml "C:\Users\user\Documents\Test_Sec_logs.xml"

Open in new window


The problem with this output is the output doesn't appear organized in a human-readable fashion. For instance, the first event it pulls will have roughly 15 lines and 15 columns and data all over. Then it repeats for the next event.

Thanks in advance.
0
Comment
  • 2
3 Comments
 
LVL 40

Accepted Solution

by:
Subsun earned 250 total points (awarded by participants)
ID: 41799708
Like I said In security you mostly find only Information logs, which will be either Audit Success or Audit Failed. You may get Error/warnings  in security log but it's rare, may be if something is wrong with Event processing or like that..
0
 
LVL 40

Assisted Solution

by:footech
footech earned 250 total points (awarded by participants)
ID: 41800165
I've never seen a recommendation to use Get-EventLog over Get-WinEvent unless you're accessing older systems.  The reason is you can filter much faster with Get-WinEvent, rather than relying on post-filtering with Where-Object or other methods.
$StartTime = (get-date).adddays(-1)
$Credential = Get-Credential
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-WinEvent -ComputerName $_ -Credential $Credential -FilterHashTable @{LogName='Security';StartTime=$StartTime;Level=2,3} |
 select machinename,timecreated,id,level,message
} | Export-Csv "C:\Users\user\Documents\Sec_logs.csv"

Open in new window

Pretty much everything in the Security log is level 0.
1
 
LVL 40

Expert Comment

by:Subsun
ID: 41827721
Reason for not getting the desired result is there is no Error/warnings  in security log.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Windows 10 came with  a lot of built in applications, Some organisations leave them there, some will control them using GPO's. This Article is useful for those who do not want to have any applications in their image (example:me).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question