Snap35

If you want to audit the Active Directory, this is the project you need :

  • low cost
  • Efficient search
  • Bootstrap web design
  • Export events easily in a csv format

Visit now the project page here

The resources used for this project are :
– LAMP server
– Microsoft Event Forwarder engine
– Bootstrap css/javascript
– Datatables JQuery Library
– Mysql for the event storage


Reference

Get-WinEvent

Gets events from event logs and event tracing log files on local and remote computers.

Syntax

Parameter Set: GetLogSet
Get-WinEvent [[-LogName]  ] [-ComputerName  ] [-Credential  ] [-FilterXPath  ] [-Force] [-MaxEvents  ] [-Oldest] [ ]

Parameter Set: FileSet
Get-WinEvent [-Path]  [-Credential  ] [-FilterXPath  ] [-MaxEvents  ] [-Oldest] [ ]

Parameter Set: GetProviderSet
Get-WinEvent [-ProviderName]  [-ComputerName  ] [-Credential  ] [-FilterXPath  ] [-Force] [-MaxEvents  ] [-Oldest] [ ]

Parameter Set: HashQuerySet
Get-WinEvent [-FilterHashtable]  [-ComputerName  ] [-Credential  ] [-Force] [-MaxEvents  ] [-Oldest] [ ]

Parameter Set: ListLogSet
Get-WinEvent [-ListLog]  [-ComputerName  ] [-Credential  ] [-Force] [ ]

Parameter Set: ListProviderSet
Get-WinEvent [-ListProvider]  [-ComputerName  ] [-Credential  ] [ ]

Parameter Set: XmlQuerySet
Get-WinEvent [-FilterXml]  [-ComputerName  ] [-Credential  ] [-MaxEvents  ] [-Oldest] [ ]

Detailed Description

The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).

Without parameters, a Get-WinEvent command gets all the events from all the event logs on the computer. To interrupt the command, press CTRL + C.

Get-WinEvent also lists event logs and event log providers. You can get events from selected logs or from logs generated by selected event providers. And, you can combine events from multiple sources in a single command.Get-WinEvent allows you to filter events by using XPath queries, structured XML queries, and simplified hash-table queries.

Parameters

-ComputerName

Gets events from the event logs on the specified computer. Type the NetBIOS name, an Internet Protocol (IP) address, or the fully qualified domain name of the computer. The default value is the local computer.

This parameter accepts only one computer name at a time. To find event logs or events on multiple computers, use a ForEach statement. For more information about this parameter, see the examples.

To get events and event logs from remote computers, the firewall port for the event log service must be configured to allow remote access.

This cmdlet does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even if your computer is not configured to run remote commands.

Aliases none
Required? false
Position? named
Default Value Local computer
Accept Pipeline Input? false
Accept Wildcard Characters? false

-Credential

Specifies a user account that has permission to perform this action. The default value is the current user.

Type a user name, such as User01 or Domain01\User01. Or, enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. If you type only the parameter name, you will be prompted for both a user name and a password.

Aliases none
Required? false
Position? named
Default Value Current user
Accept Pipeline Input? false
Accept Wildcard Characters? false

-FilterHashtable

Uses a query in hash table format to select events from one or more event logs. The query contains a hash table with one or more key-value pairs.

Hash table queries have the following rules:

— Keys and values are case-insensitive.

— Wildcard characters are valid only in the values associated with the LogName and ProviderName keys.

— Each key can be listed only once in each hash-table.

— The Path value takes paths to .etl, .evt, and .evtx log files.

— The LogName, Path, and ProviderName keys can be used in the same query.

— The UserID key can take a valid security identifier (SID) or a domain account name that can be used to construct a valid System.Security.Principal.NTAccount object.

— The Data value takes event data in an unnamed field. This is for events in classic event logs.

— The * key represents a named event data field.

When Get-WinEvent cannot interpret a key-value pair, it interprets the key as a case-sensitive name for the event data in the event.

The valid key-value pairs are as follows:

— LogName=
— ProviderName=
— Path=
— Keywords=
— ID=
— Level=
— StartTime=
— EndTime=
— UserID=
— Data=
— *=

Aliases none
Required? true
Position? 1
Default Value none
Accept Pipeline Input? true (ByValue, ByPropertyName)
Accept Wildcard Characters? false

-FilterXPath

Uses an XPath query to select events from one or more logs.

For more information about the XPath language, see “XPath Reference” in the MSDN library at http://go.microsoft.com/fwlink/?LinkId=242509 and “Selection Filters” in “Event Selection” in the MSDN library athttp://go.microsoft.com/fwlink/?LinkId=242510.

Aliases none
Required? false
Position? named
Default Value None
Accept Pipeline Input? true (ByValue, ByPropertyName)
Accept Wildcard Characters? false

-FilterXml

Uses a structured XML query to select events from one or more event logs.

To generate a valid XML query, use the Create Custom View and Filter Current Log features in Event Viewer. Use the items in the dialog box to create a query, and then click the XML tab to view the query in XML format. You can copy the XML from the XML tab into the value of the FilterXml parameter. For more information about the Event Viewer features, see Event Viewer Help.

Typically, you use an XML query to create a complex query that contains several XPath statements. The XML format also allows you to use a “Suppress” XML element that excludes events from the query. For more information about the XML schema for event log queries, see the following topics in the MSDN (Microsoft Developer Network) library.

— “Query Schema”: http://go.microsoft.com/fwlink/?LinkId=143685

— “XML Event Queries” in “Event Selection”: http://go.microsoft.com/fwlink/?LinkID=143608

Aliases none
Required? true
Position? 1
Default Value None
Accept Pipeline Input? true (ByValue, ByPropertyName)
Accept Wildcard Characters? false

-Force

Gets debug and analytic logs, in addition to other event logs. The Force parameter is required to get a debug or analytic log when the value of the name parameter includes wildcard characters.

By default, Get-WinEvent excludes these logs unless you specify the full name of a debug or analytic log.

Aliases none
Required? false
Position? named
Default Value Debugging and analytic logs are not returned in response to queries that use wildcard characters.
Accept Pipeline Input? false
Accept Wildcard Characters? false

-ListLog

Gets the specified event logs. Enter the event log names in a comma-separated list. Wildcards are permitted. To get all the logs, enter a value of *.

Aliases none
Required? true
Position? 1
Default Value None
Accept Pipeline Input? true (ByValue, ByPropertyName)
Accept Wildcard Characters? true

-ListProvider

Gets the specified event log providers. An event log provider is a program or service that writes events to the event log.

Enter the provider names in a comma-separated list. Wildcards are permitted. To get the providers of all the event logs on the computer, enter a value of *.

Aliases none
Required? true
Position? 1
Default Value None
Accept Pipeline Input? true (ByValue, ByPropertyName)
Accept Wildcard Characters? true

-LogName

Gets events from the specified event logs. Enter the event log names in a comma-separated list. Wildcards are permitted. You can also pipe log names to Get-WinEvent.

Aliases none
Required? false
Position? 1
Default Value None
Accept Pipeline Input? true (ByValue, ByPropertyName)
Accept Wildcard Characters? true

-MaxEvents

Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.

Aliases none
Required? false
Position? named
Default Value All events
Accept Pipeline Input? true (ByValue, ByPropertyName)
Accept Wildcard Characters? false

-Oldest

Returns the events in oldest-first order. By default, events are returned in newest-first order.

This parameter is required to get events from .etl and .evt files and from debug and analytic logs. In these files, events are recorded in oldest-first order, and the events can be returned only in oldest-first order.

Aliases none
Required? false
Position? named
Default Value False
Accept Pipeline Input? false
Accept Wildcard Characters? false

-Path

Gets events from the specified event log files. Enter the paths to the log files in a comma-separated list, or use wildcard characters to create file path patterns.

Get-WinEvent supports files with the .evt, .evtx, and .etl file name extensions. You can include events from different files and file types in the same command.

Aliases none
Required? true
Position? 1
Default Value None
Accept Pipeline Input? true (ByPropertyName)
Accept Wildcard Characters? true

-ProviderName

Gets events written by the specified event log providers. Enter the provider names in a comma-separated list, or use wildcard characters to create provider name patterns.

An event log provider is a program or service that writes events to the event log. It is not a Windows PowerShell provider.

Aliases none
Required? true
Position? 1
Default Value None
Accept Pipeline Input? true (ByPropertyName)
Accept Wildcard Characters? true

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see  about_CommonParameters (http://go.microsoft.com/fwlink/p/?LinkID=113216).

Inputs

The input type is the type of the objects that you can pipe to the cmdlet.

  • System.String, System.Xml.XmlDocument, System.Collections.Hashtable.You can pipe a LogName (string), a FilterXML query, or a FilterHashTable query to Get-WinEvent.

Outputs

The output type is the type of the objects that the cmdlet emits.

  • System.Diagnostics.Eventing.Reader.EventLogConfiguration, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.ProviderMetadataWith the ListLog parameter, Get-WinEvent returns System.Diagnostics.Eventing.Reader.EventLogConfiguration objects. With the ListProvider parameter, Get-WinEvent returnsSystem.Diagnostics.Eventing.Reader.ProviderMetadata objects. With all other parameters, Get-WinEvent returns System.Diagnostics.Eventing.Reader.EventLogRecord objects.

Notes

  • Get-WinEvent runs on Windows Vista, Windows Server 2008 R2, and later versions of Windows.
  • Get-WinEvent is designed to replace the Get-EventLog cmdlet on computers running Windows Vista and later versions of Windows. Get-EventLog gets events only in classic event logs. Get-EventLog is retained in Windows PowerShell for backward compatibility.
  • The Get-WinEvent and Get-EventLog cmdlets are not supported in Windows Preinstallation Environment (Windows PE).

Examples

————————– EXAMPLE 1 ————————–

This command gets all the logs on the local computer.

Logs are listed in the order that Get-WinEvent gets them. Classic logs are usually retrieved first, followed by the new Windows Eventing logs.

Because there are typically more than a hundred event logs, this parameter requires a log name or name pattern. To get all the logs, use *.

PS C:\> Get-WinEvent -ListLog  *

————————– EXAMPLE 2 ————————–

These commands get an object that represents the classic System log on the local computer. The object includes useful information about the log, including its size, event log provider, file path, and whether it is enabled.

PS C:\> Get-WinEvent -ListLog Setup | Format-List -Property *
              
FileSize                       : 69632
IsLogFull                      : False
LastAccessTime                 : 2/14/2008 12:55:12 AM
LastWriteTime                  : 7/9/2008 3:12:05 AM
OldestRecordNumber             : 1
RecordCount                    : 3
LogName                        : Setup
LogType                        : Operational
LogIsolation                   : Application
IsEnabled                      : True
IsClassicLog                   : False
SecurityDescriptor             : O:BAG:SYD:(A;;0xf0007;;;SY)(A;
(A;;0x1;;;S-1-5-32-573)
LogFilePath                    : %SystemRoot%\System32\Winevt\L
MaximumSizeInBytes             : 1052672
LogMode                        : Circular
OwningProviderName             : Microsoft-Windows-Eventlog
ProviderNames                  : {Microsoft-Windows-WUSA, Micro
ProviderLevel                  :
ProviderKeywords               :
ProviderBufferSize             : 64
ProviderMinimumNumberOfBuffers : 0
ProviderMaximumNumberOfBuffers : 64
ProviderLatency                : 1000
ProviderControlGuid            :

————————– EXAMPLE 3 ————————–

This command gets only event logs on the Server01 computer that contain events. Many logs might be empty.

The command uses the RecordCount property of the EventLogConfiguration object that Get-WinEvent returns when you use the ListLog parameter.

PS C:\> Get-WinEvent -ListLog * -ComputerName Server01 |Where-Object {$_.RecordCount}

————————– EXAMPLE 4 ————————–

The commands in this example get objects that represent the Windows PowerShell event logs on the Server01, Server02, and Server03 computers. This command uses the Foreach keyword because the ComputerName parameter takes only one value.

The first command saves the names of the computers in the $s variable.

The second command uses a Foreach statement. For each of the computers in the $s variable, it performs the command in the script block (within the braces). First, the command prints the name of the computer. Then, it runs aGet-WinEvent command to get an object that represents the Windows PowerShell log.

PS C:\> $s = "Server01", "Server02", "Server03"
PS C:\>Foreach ($Server in $S) {$Server; Get-WinEvent -ListLog "Windows PowerShell" -Computername $Server}

————————– EXAMPLE 5 ————————–

This command gets the event log providers on the local computer and the logs to which they write, if any.

PS C:\> Get-WinEvent -ListProvider *

————————– EXAMPLE 6 ————————–

This command gets all of the providers that write to the Application log on the local computer.

PS C:\> (Get-WinEvent -ListLog Application).ProviderNames

————————– EXAMPLE 7 ————————–

This command gets the event log providers whose names include the word “policy.”

PS C:\> Get-WinEvent -ListProvider *policy*

————————– EXAMPLE 8 ————————–

This command lists the event IDs that the Microsoft-Windows-GroupPolicy event provider generates along with the event description.

It uses the Events property of the object that Get-WinEvent returns when you use the ListProvider parameter, and it uses the ID and Description properties of the object in the Events property.

PS C:\> (Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table ID, Description -AutoSize

————————– EXAMPLE 9 ————————–

This example shows how to use the properties of the event objects that Get-WinEvent returns to learn about the events in an event log.

The first command uses the Get-WinEvent cmdlet to get all of the events in the Windows PowerShell event log. Then, it saves them in the $Events variable. The log name is enclosed in quotation marks because it contains a space.

PS C:\> $Events = Get-WinEvent -LogName "Windows PowerShell"

The second command uses the Count property of object collections to find the number of entries in the event log.

PS C:\> $Events.Count
195

The third command displays the incidence of each event in the log, with the most frequent events first. In this example, event ID 600 is the most frequent event.

PS C:\> $Events | Group-Object -Property Id -NoElement | Sort-Object -Property Count -Descending
                
Count Name
----- ----
147 600
22 400
21 601
3 403
2 103

The fourth command groups the items by the value of their LevelDisplayName property to show how many Error, Warning, and Information events are in the log.

PS C:\> $Events | Group-Object -Property LevelDisplayName -NoElement
                
Count Name
----- ----
2 Warning
193 Information

————————– EXAMPLE 10 ————————–

This command gets the error events whose names include “disk” from all of the event logs on the computer and from the Microsoft-Windows-Kernel-WHEA event log.

PS C:\> Get-WinEvent -LogName *disk*, Microsoft-Windows-Kernel-WHEA

————————– EXAMPLE 11 ————————–

This command gets events from a copy of the Windows PowerShell event log file in a test directory. The path is enclosed in quotation marks because the log name includes a space.

PS C:\> Get-WinEvent -Path 'c:\ps-test\Windows PowerShell.evtx'

————————– EXAMPLE 12 ————————–

These commands get the first 100 events from an Event Tracing for Windows (ETW) event trace log file.

The first command gets the 100 oldest events in the log. It uses the Get-WinEvent cmdlet to get events from the Tracelog.etl file. It uses the MaxEvents parameter to limit the retrieval to 100 events. Because the events are listed in the order in which they are written to the log (oldest first), the Oldest parameter is required.

PS C:\> Get-WinEvent -Path 'C:\Tracing\TraceLog.etl' -MaxEvents 100 -Oldest

The second command gets the 100 newest events in the log. It uses the Get-WinEvent cmdlet to get all the events from the Tracing.etl file. It pipes the events to the Sort-Object cmdlet, which sorts them in descending order by the value of the TimeCreated property. Then, it pipes the sorted events to the Select-Object cmdlet to select the newest 100 events.

PS C:\> Get-WinEvent -Path 'C:\Tracing\TraceLog.etl' -Oldest | Sort-Object -Property TimeCreated -Descending | Select-Object -First 100

————————– EXAMPLE 13 ————————–

This example shows how to get the events from an event trace log file (.etl) and from a copy of the Windows PowerShell log file (.evtx) that was saved to a test directory.

You can combine multiple file types in a single command. Because the files contain the same type of .NET Framework object (an EventLogRecord object), you can use the same properties to filter them.

The command requires the Oldest parameter because it is reading from an .etl file, but the Oldest parameter applies to both of the files.

PS C:\> Get-WinEvent -Path "C:\Tracing\TraceLog.etl", "c:\Logs\Windows PowerShell.evtx" -Oldest | Where-Object {$_.ID -eq "103"}

————————– EXAMPLE 14 ————————–

This example shows different filtering methods for selecting events from an event log. All of these commands get events that occurred in the last 24 hours from the Windows PowerShell event log.

The filter methods are more efficient than using the Where-Object cmdlet because the filters are applied while the objects are being retrieved, rather than retrieving all the objects and then filtering them.

Because dates are difficult to formulate in the XML and XPath formats, to create the XML content for the date, the Filter Current Log feature of Event Viewer is used. For more information about this feature, see Event Viewer Help.

PS C:\> # Use the Where-Object cmdlet

PS C:\>$yesterday = (Get-Date) - (New-TimeSpan -Day 1)
PS C:\>Get-WinEvent -LogName "Windows PowerShell" | Where-Object {$_.TimeCreated -ge $yesterday}

# Uses FilterHashTable

PS C:\>$yesterday = (Get-Date) - (New-TimeSpan -Day 1)
PS C:\>Get-WinEvent -FilterHashTable @{LogName='Windows PowerShell'; Level=3; StartTime=$yesterday}

# Use FilterXML

PS C:\>Get-WinEvent -FilterXML ""

# Use FilterXPath

PS C:\>Get-WinEvent -LogName "Windows Powershell" -FilterXPath "*[System[Level=3 and TimeCreated[timediff(@SystemTime) <= 86400000]]]"

————————– EXAMPLE 15 ————————–

This example uses a filter hash table to get events from the performance log.

The first command uses the Get-Date cmdlet and the AddDays method to get a date that is two days before the current date. It saves the date in the $date variable.

The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table define a filter that selects events from the performance log that occurred within the last two days and that have event ID 100.

The LogName key specifies the event log, the StartTime key specifies the date, and the ID key specifies the event ID.

PS C:\> $date = (Get-Date).AddDays(-2)
PS C:\>$events = Get-WinEvent -FilterHashTable @{ LogName = "Microsoft-Windows-Diagnostics-Performance/Operational"; StartTime = $date; ID = 100 }

————————– EXAMPLE 16 ————————–

This example uses a filter hash table to find Internet Explorer application errors that occurred within the last week.

The first command gets the date that is seven days before the current date and stores it in the $StartTime variable.

The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table define a filter that selects events from the Application log that were written by the Application Error provider and include the phrase “iexplore.exe”.

The LogName key specifies the event log. The ProviderName key specifies the event provider, the StartTime key specifies the starting date of the events, and the Data key specifies the text in the event message.

PS C:\> $StartTime = (Get-Date).AddDays(-7)
PS C:\>$IE_Error = Get-WinEvent -FilterHashtable @{Logname="Application"; ProviderName="Application Error"; Data="iexplore.exe"; StartTime=$StartTime}
Audit the Active Directory FREE

2 thoughts on “Audit the Active Directory FREE

Leave a Reply

Your email address will not be published.