3

I wrote a script to remotely fetch event logs in PowerShell, but I'm not a fan of the way the script makes its own event log entries.

Specifically this script grabs several types of event IDs including the logon/logoff events. Recently I was asked to run the script to fetch events for another user, and had to have this data fetched in a few hours. Normally I start the script and let it run for the majority of the day (because there is usually a LOT of data here), but this time to speed up the process, I spun up 4 instances of the script to fetch this data faster than usual. Each instance of the script was looking at a different time frame so that all 4 scripts combined were fetching in the time frame I had been asked for.

Over the course of 3 hours or so, I had over a million different login attempts for my user ID on this remote computer. I had so many logins that I ended up overwriting the event log data I was originally asked to fetch.

Lessons learned, I'm now researching how to make this faster, more efficient, and more reliable.

Here's the heart of my code, pretty plain and simple, and works for the most part. 

$output = Get-EventLog `
    -instanceID 4672,4647,4634,4624,4625,4648,4675,4800,4801,4802,4803 `
    -logName Security `
    -after (Get-Date $inStartDate) `
    -before (Get-Date $inEndDate).addDays(1) `
    -message ("*" + $InUserID + "*") `
    -computerName $inPCID

I guess there are several questions that I haven't been able to figure out in my research thus far. Why would Get-EventLog need to make so many connections? Is it because the connection kept dropping or something?

What would be the fastest way to fetch this data - Using the native Get-EventLog command by specifying a -ComputerName, or should I be using something like Enter-PSSession or Invoke-Command.

Will Enter-PSSession and Invoke-Command both have the same problem I'm having with Get-EventLog?

I'd like to avoid using Enter-PSSession and Invoke-Command for the simple fact that I can't guarantee all machines in the company will have remote-execution enabled.

Boeckm
  • 3,264
  • 4
  • 36
  • 41
  • 1
    How does using `Get-WinEvent` – the newer more powerful replacement for `Get-Event` compare? – Richard May 02 '12 at 15:11
  • @Richard wow, it actually looks like Get-WinEvent works just fine. I didn't even realize Get-Event was old until you said something. My script was working fine for a long time and suddenly we noticed something was wrong with it. Looks like it works fine now! Will keep testing. – Boeckm May 04 '12 at 12:53

1 Answers1

3

So, the problem was that Get-EventLog was ultimately wiping the remote event logs I was trying to fetch. Not sure why, but Get-EventLog made over a million "connections" that appeared as logon/logoff events, thus overwriting my logs.

Per @Richard's comment, I did a bit of research, and decided to test using Get-WinEvent, the updated and more powerful replacement for Get-EventLog. After testing around with this for a week, the worst case scenario that I ran into was my script creating 4 logon/logoff events. This is completely acceptable and much nicer than over a million events.

A side question I had related to this topic was performance. Because we're gathering many remote logs, we sometimes need this done as fast as possible. My question is whether or not Get-WinEvent would be fast enough to pull logs, when compared to an Enter-PSSession or an Invoke-Command.

For the scope of this question, Get-WinEvent satisfied both the speed requirements as well as the event requirements and relying on the cmdlet to perform my remoting worked great.

My code is pretty simple, but I'll post it for record reasons:

Get-WinEvent `
    -computerName $inPCID `
    -FilterHashtable @{LogName="Security";Id=4672,4647,4634,4624,4625,4648,4675,4800,4801,4802,4803; `
                       StartTime = $inStartDate; EndTime = $inEndDate} | Where-object {$_.message -like ("*" + $InUserID + "*")} `
    | export-csv $fullOutputFile
Boeckm
  • 3,264
  • 4
  • 36
  • 41