Use Cmdlets to Monitor Your Security Event Logs
The Get-EventLog cmdlet in Windows PowerShell makes it easy to investigate security event logs.
October 15, 2006
Many people use a command-line utility named LogParser to investigate logs produced by Windows products. An alternative exists for interrogating Windows event logs: the Get-Event-Log cmdlet in Windows PowerShell. PowerShell is Microsoft's new command line shell and scripting environment built on the Windows .NET Framework 2.0.
PowerShell supplies a number of built-in cmdlets (pronounced command-lets) that you can use from the command line or a script to administer a Windows environment. You can use the Get-EventLog cmdlet to obtain information about event logs and the events they contain. For example, the command
get-eventlog -list
generates a list of event logs on the system. Besides each event log's name, the list includes each event log's retention period, overflow action, maximum size, and number of entries. To obtain information about events in the Security log only, you can use the command
get-eventlog security
You can link multiple cmdlets by using a piping operator (|) that passes information from one cmdlet to the next. Note that the information is piped in the form of .NET objects rather than text data (which is what happens in most other shell environments). However, most security logs contain too many entries for piping to be useful. Fortunately, PowerShell contains a cmdlet namedWhere-Object (which is usually abbreviated to Where) that you can use to filter information. For example, if you want to check for successful logons that occur outside typical business hours (in this case, between 8 P.M. and 8 A.M.), you can run the following command:
get-eventlog security | where {$_.EventId -eq 528 -and ($_.TimeGenerated.TimeOfDay -gt '20:00:00' -or $_.TimeGenerated.TimeOfDay -lt '08:00:00' )}
(Although this command appears on several lines here, you would enter it on one line in the command-shell window. The same holds true for the other multiline commands in this article.) In this command, you might have noticed
The $_ symbol—It refers to the object being passed to the pipe. To find the properties of event log objects, you can run the command
get-eventlog system | get-member
EventId—Because PowerShell is based on the .NET Framework, you can use the .NET Framework's EventID property to obtain information about a specific type of event. In this case, you're looking for successful logons, so the event ID is 528.
TimeGenerated.TimeOfDay—The.NET Framework's TimeGenerated property represents the date and time when an event was generated. To filter events only by their time, you can append the TimeOfDay property. The ?gt parameter specifies the starting time, whereas the ?lt parameter specifies the ending time.
I've only scratched the surface of how you can use PowerShell to investigate Windows event logs. I strongly suggest that you download PowerShell Release Candidate 1 (RC1), which is the most current version at the time of this writing, at http://www.microsoft.com/downloads/details.aspx?Fa milyId=2B0BBFCD-0797-4083-A817-5E6A054A85C9&displaylang=en and get familiar with its cmdlets.
Discovering how you can use cmdlets to administer your systems is a worthwhile investment of your time.
About the Author
You May Also Like