0

I received a script that is supposed to scan the event logs of 4 DCs, searching the event ID 4740 (user lockout). This is script number 1. Now I thought to myself, "Why scan all the DCs when I can scan the log of the DC that runs the role PDC Emulator?" So I found another script that does about the same job only faster... Now I have 4 questions:

  1. Does the PDCe have its own log or is it the "general" DC log?
  2. Do both scripts refer the same source?
  3. Why does the first one take about an hour and the second takes about 15 seconds?
  4. Why does the second script give output for only 8 hours back?

First script:

$DD = get-date -format d
$DD
$L = get-eventlog -logname security -computername dc1, dc2, dc3, dc4 -after $DD | where {$_.eventid -eq 4740 } | ft -autosize timegenerated.replacementstrings
$L
$L >> locked.accounts.txt

Second script:

$PDC = Get-ADDomainController -Discover -Service PrimaryDC
Get-WinEvent -ComputerName $PDC -Logname Security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) <= 604800000]] and
 EventData]" | 
Select-Object TimeCreated,@{Name='User Name';Expression={$_.Properties[0].Value}},@{Name='Source Host';Expression={$_.Properties[1].Value}}
jscott
  • 24,484
  • 8
  • 79
  • 100
Eli Bukin
  • 1
  • 1

1 Answers1

1

Do both scripts refer the same source?

Yes, both are referring to the security log. But your get-eventlog is only pulling from one DC.

  • get-eventlog -logname security -computername dc1, dc2, dc3, dc4
  • Get-WinEvent -ComputerName $PDC -Logname Security

Why does the second script give output for only 8 hours back?

Not certain, I would guess timezones. With the -after you are filtering stuff after the date you stored in $DD, which I believe is going to round to the nearest whole day. Eventlog data I believe is stored with date+times in UTC. Anyway. You are going to need to use the correct date variable that actually specifies the time you want, including the timezone.

$DD = get-date -format d $L = get-eventlog ... -after $DD

Why does the first one take about an hour and the second takes about 15 seconds?

Well it is partly because you are querying a half dozen computers instead of one. But the other part is that Get-WinEvent is significantly faster because it can process a lot of the filtering on the remote computer and only send the bits across the network that you actually need.. The get-eventlog basically passes all the event log entries to your machine, which then does the filtering.

Here are a few articles that go into more detail.

Does the PDCe have its own log or is it the "general" DC log?

Not sure what you are asking here and/or I don't know.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • hello Zoredache, i specifically defined to pull a week old entries "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) <= 604800000]] and still, same problem.... gets back 8 hours old entries.... – Eli Bukin Dec 18 '15 at 14:18