Mathieu
asked on
Powershell script which export specific Event ID
I'm looking for a powershell script that exports security logs with Event ID 4740.
I'm new to powershell and failed to find any on Google.
Thanks for your support!
I'm new to powershell and failed to find any on Google.
Thanks for your support!
ASKER
Thanks for your support!
Maybe a stupid question. But how do i run and edit this script according to my needs?
Maybe a stupid question. But how do i run and edit this script according to my needs?
there is no need to edit anything. on the website look at example 2 and it will show you exactly what you want.
ASKER
Hi, when i use the example commands it still ask for smtp server and 'to' input.
The command: Export-OSCEvent -Path "C:\Eventlog.csv" -LogName "Application","Security"," System" -EventID 4740
Powershell aks for input and gives an error:
The command: Export-OSCEvent -Path "C:\Eventlog.csv" -LogName "Application","Security","
Powershell aks for input and gives an error:
cmdlet Export-OSCEvent at command pipeline position 1
Supply values for the following parameters:
SmtpServer:
To[0]:
From:
Export-OSCEvent : Cannot bind argument to parameter 'SmtpServer' because it is an empty string.
At line:1 char:1
+ Export-OSCEvent -Path "C:\Eventlog.csv" -LogName "Application","Secur ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Export-OSCEvent], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Export-OSCEvent
Let me test the script also.
Not working out for me either. I will work real quick to create quick cmdlet. give me a few.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Get-EventLog -Log "[b]Application[/b]" | where {$_.eventID -eq 4672} | Export-Csv c:\testing.csv
Works.But when i run
Get-EventLog -Log "security" | where {$_.eventID -eq 4740} | Export-Csv c:\testing.csv
(As local admin) i get the following error:Get-EventLog : Aangevraagde registertoegang is niet toegestaan.
At line:1 char:2
+ Get-EventLog -Log "security" | where {$_.eventID -eq 4740} | Export- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-EventLog], SecurityException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.GetEventLogCommand
In English: "Requested registry access is not allowed"
instead of writing to c: write to something like c:\temp\file.csv
may you cant write to c:
may you cant write to c:
ASKER
I have RW acces to C:\. The first script runs fine and creates a the CSV on the C drive.
run get-executionpolicy
let me know the result
let me know the result
ASKER
Result:
I think i have found the issue. The security logs get filled so fast that in the time the script runs old security logs get replaced by new logs.
Unrestricted
This is on my testing VM.I think i have found the issue. The security logs get filled so fast that in the time the script runs old security logs get replaced by new logs.
cool unrestricted is correct. good if you found why you are getting that error.
ASKER
I think i have to select logs from a specific timespan.
Like all logs from the last 24 hours.
I found this entry, but i don't know how to combine it with the origininal script.
Like all logs from the last 24 hours.
I found this entry, but i don't know how to combine it with the origininal script.
$after=[DateTime]::Today.AddDays(-7)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Unfortunately, same error.
you need to figure out that permissions error.
ASKER
Powershell now gives me the following error:
Index 3810 valt buiten het bereik. = Index 3810 is out of range
Get-EventLog : Log "Security" could not be read to completion due to the following error. This may have occurred becaus
e the log was cleared while still being read. Index 3810 valt buiten het bereik.
At line:1 char:1
+ Get-EventLog -Log "Security" -after 24/5/2018 -before 26/5/2018 | whe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ReadError: (:) [Get-EventLog], ArgumentException
+ FullyQualifiedErrorId : LogReadError,Microsoft.PowerShell.Commands.GetEventLogCommand
Index 3810 valt buiten het bereik. = Index 3810 is out of range
Hi Mathieu,
Can you please try to run the PowerShell script under builtin PowerShell ISE, right click Run as Administrator ?
Can you please try to run the PowerShell script under builtin PowerShell ISE, right click Run as Administrator ?
ASKER
Hi, Senior IT System Engineer.
Same error.
I will provide some screenshots for reference.[embed=file 1321767]
Powershell-exportToCSV-Error.PNG
Same error.
I will provide some screenshots for reference.[embed=file 1321767]
Powershell-exportToCSV-Error.PNG
OK, can you please test it with just one single line:
Get-WinEvent -Computer localhost -FilterHashTable @{LogName="Security"; ID=4740} -MaxEvents 10
ASKER
No errors with this command!
But ofcourse this one does not export the output.
But ofcourse this one does not export the output.
ASKER
ASKER
Now getting this error:
Get-ADComputer : The term 'Get-ADComputer' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At line:20 char:1
+ Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountCo ...
+ ~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-ADComputer:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
ii : Cannot find path 'C:\RESULT\User-LockedOutSource.csv' because it does not exist.
At line:37 char:1
+ ii $ResultFile
+ ~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\RESULT\User-LockedOutSource.csv:String) [Invoke-Item], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.InvokeItemCommand
OK, try to add this to the script as line #1:
and create the directory C:\RESULT\
Import-Module ActiveDirectory
and create the directory C:\RESULT\
Get-EventLog -Log "Application" -after 5/1/2018 -before 5/27/2018 | where {$_.eventID -eq 1003} | Export-Csv c:\temp\testing.csv
should work. just change dates to meet your specs. also set to security.
should work. just change dates to meet your specs. also set to security.
Script to export specific Windows Security Event Logs:
https://stackoverflow.com/questions/36439494/export-specific-windows-security-event-logs
Solution to browse windows, W3C event logs and extract required event details:
https://www.lepide.com/event-log-manager/browsing.html
https://stackoverflow.com/questions/36439494/export-specific-windows-security-event-logs
Solution to browse windows, W3C event logs and extract required event details:
https://www.lepide.com/event-log-manager/browsing.html
provided verifiable answer to author question. author had other permission issues to resolve not related to question.
If you're changing Application to Security you're most likely to get a restricted access error. Run powershell as admin and add the command Set-ExecutionPolicy RemoteSigned before getting the events. Cheers!
https://gallery.technet.microsoft.com/scriptcenter/Export-Windows-event-log-ecdfadfc
This is a great site for scripts to do alot of different things.