0

I'm looking to use Powershell to monitor the "Security" logs of a list of 2003 and 08 servers for a specific event ID. So far i've used this

    $servers = gc c:\temp\servers.txt
foreach ($server in $servers)
{
     $Query = "SELECT * FROM __instanceCreationEvent WHERE TargetInstancISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND TargetInstance.EventCode = '529' "

    Register-WMIEvent -ComputerName $server -Query $Query -sourceIdentifier "$server" -Action

    {Write-Host "The following Event ID of 529 has been found in the Security log on $server}

    }

but how can you can get the time stamp of the log entry and only the latest one if present?

Mat
  • 202,337
  • 40
  • 393
  • 406
user1890242
  • 69
  • 1
  • 10
  • 19

3 Answers3

2

Forget WMI. Use get-eventlog.

[string[]]$Servers = @("server1","server2")
Get-EventLog -LogName Security -ComputerName $Servers -Newest 1 -InstanceId 529 | select EventID,TimeGenerated,MachineName
James Woolfenden
  • 6,498
  • 33
  • 53
0

Keep it simple:

$servers = gc c:\temp\servers.txt
foreach ($server in $servers)
{
    $events = Get-EventLog -ComputerName $server -LogName "Security" | Where-Object     {$_.EventID -eq "529"}
    if ($events -ne $null)
    {
        foreach ($event in $events)
        {
            $event.TimeGenerated
        }
    }
}
Andrey Marchuk
  • 13,301
  • 2
  • 36
  • 52
  • Thanks i know you can do that but 1) it is very slow when running on multiple computers and 2) it will not notify me of any new event that arrives. – user1890242 Feb 22 '13 at 11:08
0

I wrote this a while back, for just such an occasion:

http://gallery.technet.microsoft.com/scriptcenter/ed188912-1a20-4be9-ae4f-8ac46cf2aae4

mjolinor
  • 66,130
  • 7
  • 114
  • 135
  • Should work. It was designed for exactly what you describe - monitoring multiple servers for specific events and sending notifications. – mjolinor Feb 22 '13 at 11:42
  • ok i ran this and followed the instructions but get this error [ : Array assignment to [#] failed: Cannot convert value "#" to type "System.Int32". Error: "Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: startIndex". At C:\Scripts\Events Monitor.ps1:37 char:45 + Import-Csv alert_events.csv |% {$event_list[ <<<< $_.source + '#' + $_.id] = 1} + CategoryInfo : InvalidOperation: (1:Int32) [], RuntimeException + FullyQualifiedErrorId : ArrayAssignmentFailed – user1890242 Feb 22 '13 at 11:56
  • It's designed to be able to search for multiple events. You need to edit the .csv file and replace '#' with an event id you want it to search for. – mjolinor Feb 22 '13 at 12:14