One of the best uses of PowerShell in my experience is auditing the Event Logs, and then emailing a HTML report highlighting issues. The issue I have had with that, is once I know what Event ID I want from what Event Log, is knowing what properties exactly to extract, so I can see the Person who did it, on what Machine it happened, what time the event happened. There are undoubtedly a bunch of things you might want, and the issue is many of the real gritty details are hidden in the Properties[x].Value component.
Trickier still the Account name might be Properties[6].Value in one Event Log, and then in Properties[4].Value in another.
Today we decided we wanted to add Password Changes for the Admin and Services accounts to our Audit script (Event ID 4723 and 4724 if done by the affected account, or my another account)
This script looks at roughly 20 AD Event IDs in the Security Log, so I needed to look inside or trawl the internet (once again) for what was stored where, so I could do a foreach ($event in $global:EventLogs), that would extract the accounts involved and some other details.
The Script
I’ve used my Base Menu Script (read about it here), so there is a bunch of structure in there to make it dynamic, smooth and easy to read and edit, but in the guts there are two key components:
Reading an Event Log
#------------------------------------------------------------------------------------------------
# Do the Scan of the Targeted Event Log
#------------------------------------------------------------------------------------------------
Function Do-Scan{
cls
#Converts the Hours back in to Milliseconds back
$GoTime = $global:HoursBack*3600000
#Create XML Filter
$FilterSEC = '<QueryList>
<Query Id="0" Path="'
$FilterSEC += $global:Events
$FilterSEC += '">
<Select Path="'
$FilterSEC += $global:Events
$FilterSEC += '">*[System[(EventID='
$FilterSEC += $global:EventID
$FilterSEC += ') and TimeCreated[timediff(@SystemTime) <= '
$FilterSEC += $GoTime
$FilterSEC += ']]]</Select>
</Query>
</QueryList>'
$global:eventslog = Get-WinEvent -ComputerName $global:LogServer -FilterXml $FilterSEC
$ErrorActionPreference= 'continue'
Show-Results
}I always do my Event queries as Get-WinEvent and -FilterXML; I find them to be the quickest to run, and you really want to lock down that filter, as you may want to target all the DCs, and when doing that you really want that filter to be targeting only the Events you actually want.
You’ll notice the $FilterSec is made up of other components that you can change from the menu as shown below:
Outputting all the Events Properties
#------------------------------------------------------------------------------------------------
# Show Results in two Formats
#------------------------------------------------------------------------------------------------
Function Show-Results{
Write-Host " EVENT Property Extractor" -ForegroundColor Cyan
Write-Host " ---------------------------------------------"
Write-Host " "
Write-Host " Source: " $global:LogServer
Write-Host " Event Log: " $global:Events
Write-Host " Event ID: " $global:EventID
Write-Host " Hours Back:" $global:HoursBack
$global:eventslog | select-object -First 1 | fl -Property * | Out-host
$once=$true
foreach ($e in $global:eventslog) {
if ($once -eq $true){
write-host "Properties[0].Value :"$e.Properties[0].Value
write-host "Properties[1].Value :"$e.Properties[1].Value
write-host "Properties[2].Value :"$e.Properties[2].Value
write-host "Properties[3].Value :"$e.Properties[3].Value
write-host "Properties[4].Value :"$e.Properties[4].Value
write-host "Properties[5].Value :"$e.Properties[5].Value
write-host "Properties[6].Value :"$e.Properties[6].Value
write-host "Properties[7].Value :"$e.Properties[7].Value
write-host "Properties[8].Value :"$e.Properties[8].Value
write-host "Properties[9].Value :"$e.Properties[9].Value
write-host "Properties[10].Value :"$e.Properties[10].Value
write-host "Properties[11].Value :"$e.Properties[11].Value
write-host "Properties[12].Value :"$e.Properties[12].Value
write-host "Properties[13].Value :"$e.Properties[13].Value
write-host "Properties[14].Value :"$e.Properties[14].Value
write-host "Properties[15].Value :"$e.Properties[15].Value
write-host "Properties[16].Value :"$e.Properties[16].Value
write-host "Properties[17].Value :"$e.Properties[17].Value
write-host "Properties[18].Value :"$e.Properties[18].Value
write-host "Properties[19].Value :"$e.Properties[19].Value
write-host "Properties[20].Value :"$e.Properties[20].Value
write-host "Properties[21].Value :"$e.Properties[21].Value
write-host "Properties[22].Value :"$e.Properties[22].Value
write-host "Properties[23].Value :"$e.Properties[23].Value
write-host "Properties[24].Value :"$e.Properties[24].Value
write-host "Properties[25].Value :"$e.Properties[25].Value
write-host "Properties[26].Value :"$e.Properties[26].Value
write-host "Properties[27].Value :"$e.Properties[27].Value
write-host "Properties[28].Value :"$e.Properties[28].Value
write-host "Properties[29].Value :"$e.Properties[29].Value
}
$once=$false
}
Make-Menu -MenuTitle "Do Another?" `
-Option1 "Yes" -Function1 "Do-Welcome" `
-Option2 "No" -Function2 "Get-Quiting"
}Finally the results, which we dump the default view, and then go through 30 other possible values that could be buried in the Message part of the Event, and are often the key information you are looking for.
What it Doesn’t Do
Because this is just a tool that you will use to help you write actual functional scripts, I didn’t make it perfectly polished, or with error handling. Here’s what is doesn’t do:
- Check if a Event ID of that type exists.
- Restrict the Event Log selection to only valid sources.
- Allow you to enter a Log Server source.
- Allow you to move through a series of the Events with the full display.
Remember its a quick tool just for helping me find the properties of (in my specific case today), who’s password was changed, and who did the changing.
Download the Script
EventLog_Props.ps1 https://github.com/Works4Me-Info/PS_EventLog-Properties
Below is an example of the kind of output you would expect to see. I’ve put it at the bottom here, so it doesn’t hide the Download option.
