Powershell Query Windows Logs

In the forum, someone asked how to use the PowerShell script to query the file modified audit log, beans Server did not open this function, but tried to write a similar script can query the log, and output the corresponding XML content.

The basic method is get-winevent, you can specify the corresponding EventID, get the list. If you want to get the specific content of this event, you need to change the XML content of the different events.

Like what

$Events = get-winevent-computername syddc01-filterhashtable @{logname= ' Security '; id=4771}-maxevents 1$eventXML = [xml ] $Event. TOXML () $eventxml. Event.event.data

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/42/wKioL1X4-cOxNGptAADLqd6u8fc788.jpg "title=" 5.PNG " alt= "Wkiol1x4-coxngptaadlqd6u8fc788.jpg"/>

According to this idea, if I want to get the latest 20 4771 event logs and output the results

$Events  = get-winevent -computername syddc01 -filterhashtable @{logname= ' Security ';id=4771} -maxevents 20                     # parse out the event message  data            ForEach  ($Event  in   $Events)  {                 # Convert the event to XML                  $eventXML  = [xml] $Event. TOXML ()                  # Iterate  through each one of the xml message properties                 for  ($i =0;  $i  -lt  $eventXML .event.eventdata.data.count;  $i + +)  {                           # Append these as object  properties                     Add-Member -InputObject  $Event  -membertype noteproperty - force -name   $eventXML. event.eventdata.data[$i].name -value $ eventxml.event.eventdata.data[$i]. ' #text '                 }             }                    $events  | select message,  targetusernAme, ipaddress,timecreated | out-gridview 

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/42/wKioL1X4-iPDwCAuAANhZPcU2WY929.jpg "title=" 4.PNG " alt= "Wkiol1x4-ipdwcauaanhzpcu2wy929.jpg"/>

Sometimes, there are a lot of events, and I want to impose a limit on this time. Do not use Where-object way to filter, or wait until the end of time may not be the result.

Here we need to use Xmlfilter to filter

We can customize an XPath through the Event Viewer

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/42/wKioL1X4-uqzi5EaAADOjL7kW3U689.jpg "style=" float: none; "title=" 0.PNG "alt=" Wkiol1x4-uqzi5eaaadojl7kw3u689.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/46/wKiom1X4-UWAiui2AAGGHaznvrM148.jpg "style=" float: none; "title=" 1.PNG "alt=" Wkiom1x4-uwaiui2aagghaznvrm148.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/42/wKioL1X4-3yxulR8AAEV0mqB1HM575.jpg "style=" float: none; "title=" 2.PNG "alt=" Wkiol1x4-3yxulr8aaev0mqb1hm575.jpg "/>

Because it was a different event, the result of his eventdata was not the same, so I made some changes.

[XML] $xmlFilter  = @ "<querylist>  <query id=" 0 " path=" Application ">     <select path= "Application" >*[system[(eventid=1002)  and  Timecreated[timediff (@SystemTime)  &lt;= 604800000]]]</Select>  </Query> </QueryList> @ #Get-winevent -computername  $DC. dc -logname security -filterxpath  "*[system[(eventid=529 or eventid=644 or  eventid=675 or eventid=676 or eventid=681 or eventid=4625)  and  Timecreated[timediff (@SystemTime)  &lt;= 86400000]] " #-maxevents 50$events =  Get-WinEvent -ComputerName syddc01 -FilterXML  $xmlFilterForEach   ($Event  in   $Events)  {                 # convert the event to xml                 $eventXML  = [xml]$ Event.toxml ()                 #  Iterate through each one of the XML message properties                 For  ($i = 0;   $i  -lt  $eventXML .event.eventdata.data.count;  $i + +)  {                            # Append these as object properties                     add-member - inputobject  $Event  -MemberType NoteProperty -Force -Name   "App"  -value   $eventXML. Event.EventData.Data[5]               }             }     $Events  |  Select message, app, providername, timecreated | out-gridview

The results are as follows

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/45/wKiom1X4-LfAh_1ZAAIHTGF2q2I120.jpg "style=" float: none; "title=" 3.PNG "alt=" Wkiom1x4-lfah_1zaaihtgf2q2i120.jpg "/>

In this way, we can automate some of the common problems, such as tracking lockout users, traditional processing takes 5-10 minutes, I need to use LockoutStatus.exe to get the corresponding DC, then search for the corresponding event and time on the DC, find the corresponding IP and username, and so on, now the script can get the same information in 10 seconds.

This article is from the "Mapo Tofu" blog, please be sure to keep this source http://beanxyz.blog.51cto.com/5570417/1695288

Powershell Query Windows Logs