Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


PowerShell script modification Get-WinEvent from multiple servers ?

Posted on 2016-09-15
Medium Priority
Last Modified: 2016-10-04

I request some assistance in getting security event logs from multiple remote servers. I've had success with the Application and System logs, but the Security logs are too large to work practically in the same manner.

Here is what I'm using for a successful Application log:
$StartTime = (get-date).adddays(-1)
$Credential = Get-Credential
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-WinEvent -ComputerName $_ -Credential $Credential -FilterHashTable @{LogName='Application';StartTime=$StartTime} 
| ?{$_.LevelDisplayName -eq "Error" -or $_.LevelDisplayName -eq "Warning"} 
| select machinename,timecreated,id,level,message
} | Export-Csv "C:\Users\user\Documents\App_logs.csv"

Open in new window

I couldn't find a way to filter for those properties with Get-WinEvent and numerous other posts suggested using Get-EventLog for the Security log.

Here is what I have so far. This first part appears to work correctly:
$StartTime = (get-date).adddays(-1)
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-EventLog Security -ComputerName $_ -After $StartTime -EntryType Error,FailureAudit,Warning
} | Export-Clixml "C:\Users\user\Documents\Test_Sec_logs.xml"

Open in new window

The problem with this output is the output doesn't appear organized in a human-readable fashion. For instance, the first event it pulls will have roughly 15 lines and 15 columns and data all over. Then it repeats for the next event.

Thanks in advance.
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 40

Accepted Solution

Subsun earned 1000 total points (awarded by participants)
ID: 41799708
Like I said In security you mostly find only Information logs, which will be either Audit Success or Audit Failed. You may get Error/warnings  in security log but it's rare, may be if something is wrong with Event processing or like that..
LVL 41

Assisted Solution

footech earned 1000 total points (awarded by participants)
ID: 41800165
I've never seen a recommendation to use Get-EventLog over Get-WinEvent unless you're accessing older systems.  The reason is you can filter much faster with Get-WinEvent, rather than relying on post-filtering with Where-Object or other methods.
$StartTime = (get-date).adddays(-1)
$Credential = Get-Credential
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-WinEvent -ComputerName $_ -Credential $Credential -FilterHashTable @{LogName='Security';StartTime=$StartTime;Level=2,3} |
 select machinename,timecreated,id,level,message
} | Export-Csv "C:\Users\user\Documents\Sec_logs.csv"

Open in new window

Pretty much everything in the Security log is level 0.
LVL 40

Expert Comment

ID: 41827721
Reason for not getting the desired result is there is no Error/warnings  in security log.

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question