Hi all, relative newcomer to PowerShell but loving it as I learn.
Several months back I implemented a scheduled task that archives and clears all the Windows Event Logs on my three DC's. However, when I went to search the archived log (Security in this case) I had to import it then create a custom search.
What I want to do is run a PowerShell script that will prompt me for an EventID and Date then search the archives for all three servers and return the results to a text (or csv) file.
The script I came up with works well but provides a full dump of the event and all I really need is certain info from each event. For this example I'm searching the Security log for account creation events, or ID=4720. Here's my script:
$logdate = Read-Host "Date to search (yyyymmdd)"
$event = Read-Host "Event ID to search for"
$netid = Read-Host "NetID to send results to"
$sendto = $netid + "@mydomain.edu"
$server = "dc1","dc2","dc3"
foreach ($svr in $server){
$path = "\\LogServer\EventLogs\" + $svr + "-" + $logdate + "*\security.evt"
# Displays which server log is being scanned
Write-Host $path
$evts = Get-WinEvent -FilterHashtable @{path=$path;id=$event} -oldest
foreach($evt in $evts){
$out += "$evt.id,$evt.Providername,$evt.TimeCreated,$evt.Message"
}
$out | out-file -filepath D:\Scripts\Testing\testeventidout.txt
The script sort of does what I want but the output is way too much info:
4720,Microsoft-Windows-Security-Auditing,06/20/2013 16:00:08,A user account was created.Subject:
Security ID:S-1-5-21-abunchofnumbers
Account Name:xxxxxxxx
Account Domain:XXXXXX
Logon ID:0x5f867dd1
New Account:
Security ID:S-1-5-21-abunchofnumbers
Account Name:xxxxxxxx
Account Domain:XXXXXX
Attributes:
SAM Account Name:xxxxxxxx
Display Name:Last, First
User Principal Name:xxxxxxxx@domain.edu
Home Directory:-
Home Drive:-
Script Path:-
Profile Path:-
User Workstations:-
Password Last Set:<never>
Account Expires:<never>
Primary Group ID:513
Allowed To Delegate To:-
Old UAC Value:0x0
New UAC Value:0x10
User Account Control:
'Normal Account' - Enabled
User Parameters:-
SID History:-
Logon Hours:<value not set>
Additional Information:
Privileges-
And the above repeats for each event so the file is long and not so easy to read.
I've tried substituting all kinds of stuff in the $out += "", used (), not used () as above. All I want is an output file that gives me the following info:
EventID, Computer, SubjectUserName, TargetUserName, DisplayName
I've included Event ID in the output because I plan to run this script as a summary of certain events, after the logs have been archived, then email the out-file as an attachment to myself and the other sysadmin.
Your insight is greatly appreciated, oh guru's of PowerShell. :)
Dan
Daniel M. Hoyt Microsoft Server Administrator