I'm using powershell 2.0 and plan to use this on Windows 2008 and Windows 7.
I'm trying to figure out how to call a function from a For Loop and capture the data, so I don't have to repeat the same lines over and over again.
Here's a snippet of what I'm trying to do:
I'd like to pull the bolded lines into a Function so I don't have to repeat them if I'm looking for similar parameters. (ie. I could search for failures and successes on all of the logon types - 2,3,4,5,7,8,9,10,11)
Code Snippet
####################################################################
# pull security event logs here based on dates
#capture all logon/logoff attempts
$SECLG = Get-Eventlog -LogName Security -ComputerName $NAME -after $STRTDATE -before $ENDDATE | `
?{$_.eventid -eq "4625" -or $_.eventid -eq "4624" -or $_.eventid -eq "4647"}
# determine if pulling all login attempts or just failed ones
# f or failed means only pull failed login attempts
If (($AORF -eq "f") -or ($AORF -eq "failed"))
{
# loop through each security event looking for failed login attempts only
foreach ($EVNT in $SECLG)
{
# Failed Interactive Local Login
if (($EVNT.EventID -eq 4625) -and ($EVNT.ReplacementStrings[10] -eq 2))
{
$EVNAME = $EVNT.MachineName
$EVID = $EVNT.EventID
$EVENTYPE = $EVNT.EntryType
$EVTIME = $EVNT.TimeGenerated
$EVUSER = $EVNT.ReplacementStrings[5]
$EVLGTYPE = $EVNT.ReplacementStrings[10]
$EVDESCRIPT = "Local Interactive Login"
LOGWRITE "$EVNAME, $EVID, $EVENTYPE, $EVTIME, $EVUSER, $EVLGTYPE, $EVDESCRIPT"
}
####################################################################
The goal is to have a comma separated set of values in a .csv file that can easily be read/sorted/filtered in Excel.
I had to add all of the extra $EV variables in order to write out to the logfile with comma separators. I could easily get spaces but ran into various problems trying to get the correct syntax to add commas between the values and still get the values outputting properly, so I gave up and went with defining the extra variables.
I've attempted a few methods to call a function in the for loop and I either get empty values separated by commas or "Cannot index into a null array."
Examples of attempts below are to comment out the bolded lines in the for loop and place them in a function then call the function instead of the lines.
Function EVCAPTURE
$EVNAME = $EVNT.MachineName
$EVID = $EVNT.EventID
$EVENTYPE = $EVNT.EntryType
$EVTIME = $EVNT.TimeGenerated
$EVUSER = $EVNT.ReplacementStrings[5]
$EVLGTYPE = $EVNT.ReplacementStrings[10]
Note the $EVNT.ReplacementStrings lines through the "Cannot index into a null array" this way.
If I exclude them in the function and leave them in the for loop, I get empty values with commas for the items in the function (MachineID, EventID, EntryType, TimeGenerated) and then proper values for EVUSER and EVLGTYPE that had been left in the for loop.
I tried calling the function a few ways in the for loop
EVCAPTURE
EVCAPTURE $EVNT
EVCAPTURE $_
Also tried the function a few ways
Function EVCAPTURE
Function EVCAPTURE($EVNT)
Function EVCAPTURE
Param ([string]$EVNT)
I'm new to Powershell, so I suspect its just a syntax problem and there is a much better way to do this.
Any suggestions would be welcome.