Link to home
Start Free TrialLog in
Avatar of Mathieu
Mathieu

asked on

Powershell script which export specific Event ID

I'm looking for a powershell script that exports security logs with Event ID 4740.
I'm new to powershell and failed to find any on Google.

Thanks for your support!
Avatar of timgreen7077
timgreen7077

The below link I provided will allow you to export specific event IDs using powershell.

https://gallery.technet.microsoft.com/scriptcenter/Export-Windows-event-log-ecdfadfc

This is a great site for scripts to do alot of different things.
Avatar of Mathieu

ASKER

Thanks for your support!

Maybe a stupid question. But how do i run and edit this script according to my needs?
there is no need to edit anything. on the website look at example 2 and it will show you exactly what you want.
Avatar of Mathieu

ASKER

Hi, when i use the example commands it still ask for smtp server and 'to' input.

The command: Export-OSCEvent -Path "C:\Eventlog.csv" -LogName "Application","Security","System" -EventID 4740

Powershell aks for input and gives an error:

cmdlet Export-OSCEvent at command pipeline position 1
Supply values for the following parameters:
SmtpServer:
To[0]:
From:
Export-OSCEvent : Cannot bind argument to parameter 'SmtpServer' because it is an empty string.
At line:1 char:1
+ Export-OSCEvent -Path "C:\Eventlog.csv" -LogName "Application","Secur ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Export-OSCEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Export-OSCEvent

Open in new window

Let me test the script also.
Not working out for me either. I will work real quick to create quick cmdlet. give me a few.
ASKER CERTIFIED SOLUTION
Avatar of timgreen7077
timgreen7077

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mathieu

ASKER

 Get-EventLog -Log "[b]Application[/b]" | where {$_.eventID -eq 4672} | Export-Csv c:\testing.csv

Open in new window

Works.

But when i run
Get-EventLog -Log "security" | where {$_.eventID -eq 4740} | Export-Csv c:\testing.csv

Open in new window

(As local admin) i get the following error:

Get-EventLog : Aangevraagde registertoegang is niet toegestaan.
At line:1 char:2
+  Get-EventLog -Log "security" | where {$_.eventID -eq 4740} | Export- ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-EventLog], SecurityException
    + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.GetEventLogCommand

Open in new window


In English: "Requested registry access is not allowed"
instead of writing to c: write to something like c:\temp\file.csv
may you cant write to c:
Avatar of Mathieu

ASKER

I have RW acces to C:\. The first script runs fine and creates a the CSV on the C drive.
run get-executionpolicy

let me know the result
Avatar of Mathieu

ASKER

Result:
Unrestricted

Open in new window

This is on my testing VM.

I think i have found the issue. The security logs get filled so fast that in the time the script runs old security logs get replaced by new logs.
cool unrestricted is correct. good if you found why you are getting that error.
Avatar of Mathieu

ASKER

I think i have to select logs from a specific timespan.

Like all logs from the last 24 hours.

I found this entry, but i don't know how to combine it with the origininal script.

$after=[DateTime]::Today.AddDays(-7)

Open in new window

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mathieu

ASKER

Unfortunately, same error.
you need to figure out that permissions error.
Avatar of Mathieu

ASKER

Powershell now gives me the following error:

Get-EventLog : Log "Security" could not be read to completion due to the following error. This may have occurred becaus
e the log was cleared while still being read. Index 3810 valt buiten het bereik.
At line:1 char:1
+ Get-EventLog -Log "Security" -after 24/5/2018 -before 26/5/2018 | whe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ReadError: (:) [Get-EventLog], ArgumentException
    + FullyQualifiedErrorId : LogReadError,Microsoft.PowerShell.Commands.GetEventLogCommand

Open in new window


Index 3810 valt buiten het bereik. = Index 3810 is out of range
Hi Mathieu,

Can you please try to run the PowerShell script under builtin PowerShell ISE, right click Run as Administrator ?
Avatar of Mathieu

ASKER

Hi, Senior IT System Engineer.

Same error.
I will provide some screenshots for reference.[embed=file 13217User generated image67]
Powershell-exportToCSV-Error.PNG
OK, can you please test it with just one single line:

Get-WinEvent -Computer localhost -FilterHashTable @{LogName="Security"; ID=4740} -MaxEvents 10

Open in new window

Avatar of Mathieu

ASKER

No errors with this command!

But ofcourse this one does not export the output.
Avatar of Mathieu

ASKER

Having it working with this script:

Get-WinEvent -Computer localhost -FilterHashTable @{LogName="Security"; ID=4634} -MaxEvents 10 | Export-Csv c:\testing3.csv

Open in new window


The only problem now is it only gives the message ID but no specific information like the source computername.

User generated image
Avatar of Mathieu

ASKER

Now getting this error:

Get-ADComputer : The term 'Get-ADComputer' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a
 path was included, verify that the path is correct and try again.
At line:20 char:1
+ Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountCo ...
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-ADComputer:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
ii : Cannot find path 'C:\RESULT\User-LockedOutSource.csv' because it does not exist.
At line:37 char:1
+ ii $ResultFile
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\RESULT\User-LockedOutSource.csv:String) [Invoke-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.InvokeItemCommand

Open in new window

OK, try to add this to the script as line #1:

Import-Module ActiveDirectory

Open in new window


and create the directory C:\RESULT\
Get-EventLog -Log "Application" -after 5/1/2018 -before 5/27/2018 | where {$_.eventID -eq 1003} | Export-Csv c:\temp\testing.csv

should work. just change dates to meet your specs. also set to security.
Script to export specific Windows Security Event Logs:
https://stackoverflow.com/questions/36439494/export-specific-windows-security-event-logs

Solution to browse windows, W3C event logs and extract required event details:
https://www.lepide.com/event-log-manager/browsing.html
provided verifiable answer to author question. author had other permission issues to resolve not related to question.
If you're changing Application to Security you're most likely to get a restricted access error. Run powershell as admin and add the command Set-ExecutionPolicy RemoteSigned before getting the events. Cheers!