In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider types for these events. Then I used '-filterhashtable' with an array of multiple security EventIDs whose select 'Message' fields I searched with 'findstr' for specific properties relating to logons. In this post (Part D), I pull this all together, creating a timeline of multiple security EventIDs whose select 'Message' fields I pump into a spreadsheet for further analysis.
Here I get the desired 'logon' events into spreadsheet format:
$EventLogonIDs="4611","4624","4625","4634","4647","4648","4672","4774","4775","4908","4964"
$MultipleIDLogEntries=Get-WinEvent -FilterHashtable @{Logname='security';Id=@($EventLogonIDs)}
foreach ($item in $MultipleIDLogEntries) {($item | Select TimeCreated, Message | fl * | findstr /G:search.lst) -replace" ","" -join "," | out-file -append test5.csv }
where search.lst :
TimeCreated
Security ID:
Account Name:
Account Domain:
Logon ID:
Logon Type:
Logon GUID:
Process Name:
Now I get the desired 'sleep' events into spreadsheet format. (My original concern was understanding a why my Windows 7 PC spontaneously "resumes from sleep" by itself and seemingly commences a log-on.)
$EventLogonIDs="1","42"
$MultipleIDLogEntries=Get-WinEvent -FilterHashtable @{Logname='system';Id=@($EventLogonIDs)}
foreach ($item in $MultipleIDLogEntries) {($item | Select TimeCreated, Message | fl * | findstr /I /G:search.lst) -replace" ","" -join "," | out-file -append test6.csv }
where search.lst :
TimeCreated
sleep
Now I mux the two data sets and output the combined csv:
$a=gc .\test5.csv
$b=gc .\test6.csv
$c=$a+$b
$c | out-file test7.csv
Once I translate the csv to a spreadsheet's native format, add column headers, format the Date/Time Column (the unique identifier for our purposes) and sort by Date/Time, I have a story book of events for the muxed security (e.g. 'logon') and system (e.g. 'sleep') events:
Selasa, 05 Juli 2011
Get-Winevent Part III: Querying the Event Log for Logons (Part D)
Next we need to discuss how to add additional Security auditing events to our storybook in Part E.
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar