If you want to audit the Active Directory, this is the project you need :
- low cost
- Efficient search
- Bootstrap web design
- Export events easily in a csv format
Visit now the project page here
The resources used for this project are :
– LAMP server
– Microsoft Event Forwarder engine
– Bootstrap css/javascript
– Datatables JQuery Library
– Mysql for the event storage
Reference
Gets events from event logs and event tracing log files on local and remote computers.
Syntax
Parameter Set: GetLogSet Get-WinEvent [[-LogName]] [-ComputerName ] [-Credential ] [-FilterXPath ] [-Force] [-MaxEvents ] [-Oldest] [ ] Parameter Set: FileSet Get-WinEvent [-Path] [-Credential ] [-FilterXPath ] [-MaxEvents ] [-Oldest] [ ] Parameter Set: GetProviderSet Get-WinEvent [-ProviderName] [-ComputerName ] [-Credential ] [-FilterXPath ] [-Force] [-MaxEvents ] [-Oldest] [ ] Parameter Set: HashQuerySet Get-WinEvent [-FilterHashtable] [-ComputerName ] [-Credential ] [-Force] [-MaxEvents ] [-Oldest] [ ] Parameter Set: ListLogSet Get-WinEvent [-ListLog] [-ComputerName ] [-Credential ] [-Force] [ ] Parameter Set: ListProviderSet Get-WinEvent [-ListProvider] [-ComputerName ] [-Credential ] [ ] Parameter Set: XmlQuerySet Get-WinEvent [-FilterXml] [-ComputerName ] [-Credential ] [-MaxEvents ] [-Oldest] [ ]
Detailed Description
The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).
Without parameters, a Get-WinEvent command gets all the events from all the event logs on the computer. To interrupt the command, press CTRL + C.
Get-WinEvent also lists event logs and event log providers. You can get events from selected logs or from logs generated by selected event providers. And, you can combine events from multiple sources in a single command.Get-WinEvent allows you to filter events by using XPath queries, structured XML queries, and simplified hash-table queries.
Parameters
-ComputerName
Gets events from the event logs on the specified computer. Type the NetBIOS name, an Internet Protocol (IP) address, or the fully qualified domain name of the computer. The default value is the local computer.
This parameter accepts only one computer name at a time. To find event logs or events on multiple computers, use a ForEach statement. For more information about this parameter, see the examples.
To get events and event logs from remote computers, the firewall port for the event log service must be configured to allow remote access.
This cmdlet does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even if your computer is not configured to run remote commands.
Aliases | none |
Required? | false |
Position? | named |
Default Value | Local computer |
Accept Pipeline Input? | false |
Accept Wildcard Characters? | false |
-Credential
Specifies a user account that has permission to perform this action. The default value is the current user.
Type a user name, such as User01 or Domain01\User01. Or, enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. If you type only the parameter name, you will be prompted for both a user name and a password.
Aliases | none |
Required? | false |
Position? | named |
Default Value | Current user |
Accept Pipeline Input? | false |
Accept Wildcard Characters? | false |
-FilterHashtable
Uses a query in hash table format to select events from one or more event logs. The query contains a hash table with one or more key-value pairs.
Hash table queries have the following rules:
— Keys and values are case-insensitive.
— Wildcard characters are valid only in the values associated with the LogName and ProviderName keys.
— Each key can be listed only once in each hash-table.
— The Path value takes paths to .etl, .evt, and .evtx log files.
— The LogName, Path, and ProviderName keys can be used in the same query.
— The UserID key can take a valid security identifier (SID) or a domain account name that can be used to construct a valid System.Security.Principal.NTAccount object.
— The Data value takes event data in an unnamed field. This is for events in classic event logs.
— The * key represents a named event data field.
When Get-WinEvent cannot interpret a key-value pair, it interprets the key as a case-sensitive name for the event data in the event.
The valid key-value pairs are as follows:
— LogName=
— ProviderName=
— Path=
— Keywords=
— ID=
— Level=
— StartTime=
— EndTime=
— UserID=
— Data=
— *=
Aliases | none |
Required? | true |
Position? | 1 |
Default Value | none |
Accept Pipeline Input? | true (ByValue, ByPropertyName) |
Accept Wildcard Characters? | false |
-FilterXPath
Uses an XPath query to select events from one or more logs.
For more information about the XPath language, see “XPath Reference” in the MSDN library at http://go.microsoft.com/fwlink/?LinkId=242509 and “Selection Filters” in “Event Selection” in the MSDN library athttp://go.microsoft.com/fwlink/?LinkId=242510.
Aliases | none |
Required? | false |
Position? | named |
Default Value | None |
Accept Pipeline Input? | true (ByValue, ByPropertyName) |
Accept Wildcard Characters? | false |
-FilterXml
Uses a structured XML query to select events from one or more event logs.
To generate a valid XML query, use the Create Custom View and Filter Current Log features in Event Viewer. Use the items in the dialog box to create a query, and then click the XML tab to view the query in XML format. You can copy the XML from the XML tab into the value of the FilterXml parameter. For more information about the Event Viewer features, see Event Viewer Help.
Typically, you use an XML query to create a complex query that contains several XPath statements. The XML format also allows you to use a “Suppress” XML element that excludes events from the query. For more information about the XML schema for event log queries, see the following topics in the MSDN (Microsoft Developer Network) library.
— “Query Schema”: http://go.microsoft.com/fwlink/?LinkId=143685
— “XML Event Queries” in “Event Selection”: http://go.microsoft.com/fwlink/?LinkID=143608
Aliases | none |
Required? | true |
Position? | 1 |
Default Value | None |
Accept Pipeline Input? | true (ByValue, ByPropertyName) |
Accept Wildcard Characters? | false |
-Force
Gets debug and analytic logs, in addition to other event logs. The Force parameter is required to get a debug or analytic log when the value of the name parameter includes wildcard characters.
By default, Get-WinEvent excludes these logs unless you specify the full name of a debug or analytic log.
Aliases | none |
Required? | false |
Position? | named |
Default Value | Debugging and analytic logs are not returned in response to queries that use wildcard characters. |
Accept Pipeline Input? | false |
Accept Wildcard Characters? | false |
-ListLog
Gets the specified event logs. Enter the event log names in a comma-separated list. Wildcards are permitted. To get all the logs, enter a value of *.
Aliases | none |
Required? | true |
Position? | 1 |
Default Value | None |
Accept Pipeline Input? | true (ByValue, ByPropertyName) |
Accept Wildcard Characters? | true |
-ListProvider
Gets the specified event log providers. An event log provider is a program or service that writes events to the event log.
Enter the provider names in a comma-separated list. Wildcards are permitted. To get the providers of all the event logs on the computer, enter a value of *.
Aliases | none |
Required? | true |
Position? | 1 |
Default Value | None |
Accept Pipeline Input? | true (ByValue, ByPropertyName) |
Accept Wildcard Characters? | true |
-LogName
Gets events from the specified event logs. Enter the event log names in a comma-separated list. Wildcards are permitted. You can also pipe log names to Get-WinEvent.
Aliases | none |
Required? | false |
Position? | 1 |
Default Value | None |
Accept Pipeline Input? | true (ByValue, ByPropertyName) |
Accept Wildcard Characters? | true |
-MaxEvents
Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.
Aliases | none |
Required? | false |
Position? | named |
Default Value | All events |
Accept Pipeline Input? | true (ByValue, ByPropertyName) |
Accept Wildcard Characters? | false |
-Oldest
Returns the events in oldest-first order. By default, events are returned in newest-first order.
This parameter is required to get events from .etl and .evt files and from debug and analytic logs. In these files, events are recorded in oldest-first order, and the events can be returned only in oldest-first order.
Aliases | none |
Required? | false |
Position? | named |
Default Value | False |
Accept Pipeline Input? | false |
Accept Wildcard Characters? | false |
-Path
Gets events from the specified event log files. Enter the paths to the log files in a comma-separated list, or use wildcard characters to create file path patterns.
Get-WinEvent supports files with the .evt, .evtx, and .etl file name extensions. You can include events from different files and file types in the same command.
Aliases | none |
Required? | true |
Position? | 1 |
Default Value | None |
Accept Pipeline Input? | true (ByPropertyName) |
Accept Wildcard Characters? | true |
-ProviderName
Gets events written by the specified event log providers. Enter the provider names in a comma-separated list, or use wildcard characters to create provider name patterns.
An event log provider is a program or service that writes events to the event log. It is not a Windows PowerShell provider.
Aliases | none |
Required? | true |
Position? | 1 |
Default Value | None |
Accept Pipeline Input? | true (ByPropertyName) |
Accept Wildcard Characters? | true |
This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/p/?LinkID=113216).
Inputs
The input type is the type of the objects that you can pipe to the cmdlet.
- System.String, System.Xml.XmlDocument, System.Collections.Hashtable.You can pipe a LogName (string), a FilterXML query, or a FilterHashTable query to Get-WinEvent.
Outputs
The output type is the type of the objects that the cmdlet emits.
- System.Diagnostics.Eventing.Reader.EventLogConfiguration, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.ProviderMetadataWith the ListLog parameter, Get-WinEvent returns System.Diagnostics.Eventing.Reader.EventLogConfiguration objects. With the ListProvider parameter, Get-WinEvent returnsSystem.Diagnostics.Eventing.Reader.ProviderMetadata objects. With all other parameters, Get-WinEvent returns System.Diagnostics.Eventing.Reader.EventLogRecord objects.
Notes
- Get-WinEvent runs on Windows Vista, Windows Server 2008 R2, and later versions of Windows.
- Get-WinEvent is designed to replace the Get-EventLog cmdlet on computers running Windows Vista and later versions of Windows. Get-EventLog gets events only in classic event logs. Get-EventLog is retained in Windows PowerShell for backward compatibility.
- The Get-WinEvent and Get-EventLog cmdlets are not supported in Windows Preinstallation Environment (Windows PE).
Examples
————————– EXAMPLE 1 ————————–
This command gets all the logs on the local computer.
Logs are listed in the order that Get-WinEvent gets them. Classic logs are usually retrieved first, followed by the new Windows Eventing logs.
Because there are typically more than a hundred event logs, this parameter requires a log name or name pattern. To get all the logs, use *.
PS C:\> Get-WinEvent -ListLog *
————————– EXAMPLE 2 ————————–
These commands get an object that represents the classic System log on the local computer. The object includes useful information about the log, including its size, event log provider, file path, and whether it is enabled.
PS C:\> Get-WinEvent -ListLog Setup | Format-List -Property *
FileSize : 69632 IsLogFull : False LastAccessTime : 2/14/2008 12:55:12 AM LastWriteTime : 7/9/2008 3:12:05 AM OldestRecordNumber : 1 RecordCount : 3 LogName : Setup LogType : Operational LogIsolation : Application IsEnabled : True IsClassicLog : False SecurityDescriptor : O:BAG:SYD:(A;;0xf0007;;;SY)(A; (A;;0x1;;;S-1-5-32-573) LogFilePath : %SystemRoot%\System32\Winevt\L MaximumSizeInBytes : 1052672 LogMode : Circular OwningProviderName : Microsoft-Windows-Eventlog ProviderNames : {Microsoft-Windows-WUSA, Micro ProviderLevel : ProviderKeywords : ProviderBufferSize : 64 ProviderMinimumNumberOfBuffers : 0 ProviderMaximumNumberOfBuffers : 64 ProviderLatency : 1000 ProviderControlGuid :
————————– EXAMPLE 3 ————————–
This command gets only event logs on the Server01 computer that contain events. Many logs might be empty.
The command uses the RecordCount property of the EventLogConfiguration object that Get-WinEvent returns when you use the ListLog parameter.
PS C:\> Get-WinEvent -ListLog * -ComputerName Server01 |Where-Object {$_.RecordCount}
————————– EXAMPLE 4 ————————–
The commands in this example get objects that represent the Windows PowerShell event logs on the Server01, Server02, and Server03 computers. This command uses the Foreach keyword because the ComputerName parameter takes only one value.
The first command saves the names of the computers in the $s variable.
The second command uses a Foreach statement. For each of the computers in the $s variable, it performs the command in the script block (within the braces). First, the command prints the name of the computer. Then, it runs aGet-WinEvent command to get an object that represents the Windows PowerShell log.
PS C:\> $s = "Server01", "Server02", "Server03" PS C:\>Foreach ($Server in $S) {$Server; Get-WinEvent -ListLog "Windows PowerShell" -Computername $Server}
————————– EXAMPLE 5 ————————–
This command gets the event log providers on the local computer and the logs to which they write, if any.
PS C:\> Get-WinEvent -ListProvider *
————————– EXAMPLE 6 ————————–
This command gets all of the providers that write to the Application log on the local computer.
PS C:\> (Get-WinEvent -ListLog Application).ProviderNames
————————– EXAMPLE 7 ————————–
This command gets the event log providers whose names include the word “policy.”
PS C:\> Get-WinEvent -ListProvider *policy*
————————– EXAMPLE 8 ————————–
This command lists the event IDs that the Microsoft-Windows-GroupPolicy event provider generates along with the event description.
It uses the Events property of the object that Get-WinEvent returns when you use the ListProvider parameter, and it uses the ID and Description properties of the object in the Events property.
PS C:\> (Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table ID, Description -AutoSize
————————– EXAMPLE 9 ————————–
This example shows how to use the properties of the event objects that Get-WinEvent returns to learn about the events in an event log.
The first command uses the Get-WinEvent cmdlet to get all of the events in the Windows PowerShell event log. Then, it saves them in the $Events variable. The log name is enclosed in quotation marks because it contains a space.
PS C:\> $Events = Get-WinEvent -LogName "Windows PowerShell"
The second command uses the Count property of object collections to find the number of entries in the event log.
PS C:\> $Events.Count
195
The third command displays the incidence of each event in the log, with the most frequent events first. In this example, event ID 600 is the most frequent event.
PS C:\> $Events | Group-Object -Property Id -NoElement | Sort-Object -Property Count -Descending
Count Name ----- ---- 147 600 22 400 21 601 3 403 2 103
The fourth command groups the items by the value of their LevelDisplayName property to show how many Error, Warning, and Information events are in the log.
PS C:\> $Events | Group-Object -Property LevelDisplayName -NoElement
Count Name ----- ---- 2 Warning 193 Information
————————– EXAMPLE 10 ————————–
This command gets the error events whose names include “disk” from all of the event logs on the computer and from the Microsoft-Windows-Kernel-WHEA event log.
PS C:\> Get-WinEvent -LogName *disk*, Microsoft-Windows-Kernel-WHEA
————————– EXAMPLE 11 ————————–
This command gets events from a copy of the Windows PowerShell event log file in a test directory. The path is enclosed in quotation marks because the log name includes a space.
PS C:\> Get-WinEvent -Path 'c:\ps-test\Windows PowerShell.evtx'
————————– EXAMPLE 12 ————————–
These commands get the first 100 events from an Event Tracing for Windows (ETW) event trace log file.
The first command gets the 100 oldest events in the log. It uses the Get-WinEvent cmdlet to get events from the Tracelog.etl file. It uses the MaxEvents parameter to limit the retrieval to 100 events. Because the events are listed in the order in which they are written to the log (oldest first), the Oldest parameter is required.
PS C:\> Get-WinEvent -Path 'C:\Tracing\TraceLog.etl' -MaxEvents 100 -Oldest
The second command gets the 100 newest events in the log. It uses the Get-WinEvent cmdlet to get all the events from the Tracing.etl file. It pipes the events to the Sort-Object cmdlet, which sorts them in descending order by the value of the TimeCreated property. Then, it pipes the sorted events to the Select-Object cmdlet to select the newest 100 events.
PS C:\> Get-WinEvent -Path 'C:\Tracing\TraceLog.etl' -Oldest | Sort-Object -Property TimeCreated -Descending | Select-Object -First 100
————————– EXAMPLE 13 ————————–
This example shows how to get the events from an event trace log file (.etl) and from a copy of the Windows PowerShell log file (.evtx) that was saved to a test directory.
You can combine multiple file types in a single command. Because the files contain the same type of .NET Framework object (an EventLogRecord object), you can use the same properties to filter them.
The command requires the Oldest parameter because it is reading from an .etl file, but the Oldest parameter applies to both of the files.
PS C:\> Get-WinEvent -Path "C:\Tracing\TraceLog.etl", "c:\Logs\Windows PowerShell.evtx" -Oldest | Where-Object {$_.ID -eq "103"}
————————– EXAMPLE 14 ————————–
This example shows different filtering methods for selecting events from an event log. All of these commands get events that occurred in the last 24 hours from the Windows PowerShell event log.
The filter methods are more efficient than using the Where-Object cmdlet because the filters are applied while the objects are being retrieved, rather than retrieving all the objects and then filtering them.
Because dates are difficult to formulate in the XML and XPath formats, to create the XML content for the date, the Filter Current Log feature of Event Viewer is used. For more information about this feature, see Event Viewer Help.
PS C:\> # Use the Where-Object cmdlet PS C:\>$yesterday = (Get-Date) - (New-TimeSpan -Day 1) PS C:\>Get-WinEvent -LogName "Windows PowerShell" | Where-Object {$_.TimeCreated -ge $yesterday} # Uses FilterHashTable PS C:\>$yesterday = (Get-Date) - (New-TimeSpan -Day 1) PS C:\>Get-WinEvent -FilterHashTable @{LogName='Windows PowerShell'; Level=3; StartTime=$yesterday} # Use FilterXML PS C:\>Get-WinEvent -FilterXML "" # Use FilterXPath PS C:\>Get-WinEvent -LogName "Windows Powershell" -FilterXPath "*[System[Level=3 and TimeCreated[timediff(@SystemTime) <= 86400000]]]"
————————– EXAMPLE 15 ————————–
This example uses a filter hash table to get events from the performance log.
The first command uses the Get-Date cmdlet and the AddDays method to get a date that is two days before the current date. It saves the date in the $date variable.
The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table define a filter that selects events from the performance log that occurred within the last two days and that have event ID 100.
The LogName key specifies the event log, the StartTime key specifies the date, and the ID key specifies the event ID.
PS C:\> $date = (Get-Date).AddDays(-2) PS C:\>$events = Get-WinEvent -FilterHashTable @{ LogName = "Microsoft-Windows-Diagnostics-Performance/Operational"; StartTime = $date; ID = 100 }
————————– EXAMPLE 16 ————————–
This example uses a filter hash table to find Internet Explorer application errors that occurred within the last week.
The first command gets the date that is seven days before the current date and stores it in the $StartTime variable.
The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table define a filter that selects events from the Application log that were written by the Application Error provider and include the phrase “iexplore.exe”.
The LogName key specifies the event log. The ProviderName key specifies the event provider, the StartTime key specifies the starting date of the events, and the Data key specifies the text in the event message.
PS C:\> $StartTime = (Get-Date).AddDays(-7) PS C:\>$IE_Error = Get-WinEvent -FilterHashtable @{Logname="Application"; ProviderName="Application Error"; Data="iexplore.exe"; StartTime=$StartTime}
Dear,
Seems that your detail guide has been removed, would you please release it again.
Great Thanks!
Scott
Hello Scott, the guide and the links to the virtual machines are available here : https://www.shellandco.net/audit-active-directory/
Thank you