0

I would like assistance with getting security event logs from multiple remote servers. I've had success with the Application and System logs, but the Security logs are too large to work practically in the same manner.

Here is what I'm using for a successful Application log:

$StartTime = (get-date).adddays(-1)
$Credential = Get-Credential
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-WinEvent -ComputerName $_ -Credential $Credential -FilterHashTable @{LogName='Application';StartTime=$StartTime} 
| ?{$_.LevelDisplayName -eq "Error" -or $_.LevelDisplayName -eq "Warning"} 
| select machinename,timecreated,id,level,message
} | Export-Csv "C:\Users\user\Documents\App_logs.csv"

I can create something similar for the Security logs, but it took 10 hours to pull all the Security logs, so that isn't practical for me. Now I am trying to filter the fields it pulls so that I only get Audit Failures, Errors and Warnings.

I couldn't find a way to filter for those properties with Get-WinEvent and numerous other posts suggested using Get-EventLog for the Security log.

Here is what I have so far. This first part appears to work correctly:

$StartTime = (get-date).adddays(-1)
Get-Content C:\Users\user\Documents\server_list.txt | Foreach-Object{
Get-EventLog Security -ComputerName $_ -After $StartTime -EntryType Error,FailureAudit,Warning
} | Export-Clixml "C:\Users\user\Documents\Test_Sec_logs.xml"

The problem with this output is the output doesn't appear organized in a human-readable fashion. For instance, the first event it pulls will have roughly 15 lines and 15 columns and data all over. Then it repeats for the next event. I created a pivot table for it and still couldn't easily interrupt it.

I next attempted to filter this further and this is where it isn't working how I hoped. I run this as a separate file right now because when it's all in one script it errors.

$Seclog = Import-Clixml "C:\Users\user\Documents\Test_Sec_logs.xml"
$Seclog | fl -property EventID, MachineName, Category, EntryType, Message, Source, TimeGenerated, TimeWritten, Username
| Export-Clixml "C:\Users\user\Documents\Test_Sec_logs_filtered.xml"

The filtered XML is created but only shows the EventID property. I would like to capture the data in all the fields listed after "property".

I appriciate any help and advice. Thanks in advance.

user3271408
  • 1
  • 1
  • Not mean to be snarky about this, but if you chose xml as the output format, you should lower your expectations about it being human-readable. Have you tried export-csv instead? – Adil Hindistan Feb 04 '14 at 16:23
  • Yes. When I export the security log to CSV, it doesn't have the contents of the message section. The CSV does have a column for "Message", but all it says it "A" or "An". Here is what I used for CSV: '$StartTime = (get-date).adddays(-1) Get-Content C:\Users\user\Documents\test.txt | Foreach-Object{ Get-EventLog Security -ComputerName $_ -After $StartTime -EntryType Error,FailureAudit,Warning } | Export-csv "C:\Users\user\Documents\Test_Sec_logs.csv"' – user3271408 Feb 04 '14 at 17:26
  • Are you sure? I just tried it and when I open the CSV in Excel the column only shows "A" or "An" for messages that start with that, but the entire Message field is there if I make the column wider. Importing it back into PowerShell shows that the entire message field is intact for all entries. – TheMadTechnician Feb 04 '14 at 20:51
  • You are correct. Unfortunately, there is no up arrow for me to mark your answer as correct. I've tried on two different browsers, IE and Firefox, on two different computers, one at work and one at home. Thank you very much for your help. – user3271408 Feb 06 '14 at 02:19

0 Answers0