Monitoring Security logs for EventID using Powershell

StackOverflow https://stackoverflow.com/questions/15021787

  •  11-03-2022
  •  | 
  •  

Question

I'm looking to use Powershell to monitor the "Security" logs of a list of 2003 and 08 servers for a specific event ID. So far i've used this

    $servers = gc c:\temp\servers.txt
foreach ($server in $servers)
{
     $Query = "SELECT * FROM __instanceCreationEvent WHERE TargetInstancISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND TargetInstance.EventCode = '529' "

    Register-WMIEvent -ComputerName $server -Query $Query -sourceIdentifier "$server" -Action

    {Write-Host "The following Event ID of 529 has been found in the Security log on $server}

    }

but how can you can get the time stamp of the log entry and only the latest one if present?

Was it helpful?

Solution 2

I wrote this a while back, for just such an occasion:

http://gallery.technet.microsoft.com/scriptcenter/ed188912-1a20-4be9-ae4f-8ac46cf2aae4

OTHER TIPS

Forget WMI. Use get-eventlog.

[string[]]$Servers = @("server1","server2")
Get-EventLog -LogName Security -ComputerName $Servers -Newest 1 -InstanceId 529 | select EventID,TimeGenerated,MachineName

Keep it simple:

$servers = gc c:\temp\servers.txt
foreach ($server in $servers)
{
    $events = Get-EventLog -ComputerName $server -LogName "Security" | Where-Object     {$_.EventID -eq "529"}
    if ($events -ne $null)
    {
        foreach ($event in $events)
        {
            $event.TimeGenerated
        }
    }
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top