Comments on: Enumerate The Remote Event Log with .NET

By: Simon Matthes

Simon Matthes — Wed, 21 Dec 2011 02:50:51 +0000

Hi,

I tried you above script with no success, i want to be able to run the script every couple of hours and get sent an event log for the server. im a newb at powershell but when i run the script it returns with an email but no body. i think i only have version 1 of powershell, please help.

By: Mohit Vohra

Mohit Vohra — Tue, 07 Dec 2010 10:34:20 +0000

Hi,

I found the solution for this script: here you have used $logs[5].entries to check for security logs.

I tested this in powershell 2.0 and found that this will open the system logs; not security logs. So if you want to search for security events, including the ones mentioned in your example; you need to use: $logs[4].entries instead and then your reports should come.

By: Mohit Vohra

Mohit Vohra — Tue, 07 Dec 2010 10:20:40 +0000

I tried the same script (without email portion) but used different event ids (529-537,539,644) to track for failed login attempts; however the script simply prints nothing.

Basically i am trying to find out the failed login instances on windows 2003 server. i had written a script in perl, but there’s a limitation that perl cant be installed on the server; hence i need to re-write it in powershell / vbscript. I chose powershell as it looked to do most of the stuff that we can do in unix bash.
However this script is not printing anything; and i’m afraid i’m running out of time to accomplish this task.

Could someone pls help me in this?
Appreciate your comments in this regards.

Adding my script for reference purposes
# Get the computer name
$computer = gc env:computername

# Get current date
$Now = get-date

#Get day before yesterday
$lastwrite = $Now.AddDays(-2)

$logs = [System.Diagnostics.EventLog]::GetEventLogs(“$computer”)

$colItems = $logs[5].entries

$events = @(“529″, “530″, “531″, “532″, “533″, “534″, “535″, “537″, “539″, “644″)

foreach ($item in $colItems)
{
if (($events -contains $item.EventID))
{
$item.MachineName
$item.EventID
$item.TimeWritten
$item.Category
$item.EntryType
$item.UserName
$item.Data
$item.Source
$item.TimeGenerated
$item.Message

}
}

By: Steve

Steve — Wed, 17 Feb 2010 17:14:28 +0000

Is there a way to pass domain credentials with this script so it can be run against a different domain?

By: Sumudro

Sumudro — Wed, 18 Nov 2009 14:02:34 +0000

The script run with email facility with 32-bit pc events log. With 64-bit Exchange Server 2007, it’s not retruning events log. I checked $colItems.count returning 0, so that the for loop is not working and then logs return. Anyone has any solution. Thanks

By: Sumudro

Sumudro — Wed, 18 Nov 2009 13:05:27 +0000

I am new in PowerShell. The event log script is great. I ran without email that is ok. I also run with email, but the email body is showing empty. I am not sure the function EvtReader is returning empty string or ….. Can anyone reply, why i am getting no logs as body as email. Thanks

By: J Kavanagh

J Kavanagh — Fri, 28 Aug 2009 20:21:50 +0000

Okay so you now the value for $logs[#] but the number of logs is not the same (depending on OS, products installed, etc…) is there a way to for example get the System log entries?

By: Jesse Hamrick

Jesse Hamrick — Thu, 18 Jun 2009 22:34:57 +0000

Create the following variables and add it as part of the filter:
$Now = Get-Date
$lastWrite = $Now.AddDays(-7)

#now place in filter
-and($_.TimeWritten -ge $lastWrite)

I haven’t tested it yet but this works in other scripts I’ve written which get all errors recorded within last 7 days…

By: Brad B

Brad B — Thu, 18 Jun 2009 22:18:01 +0000

Great script… But I too would like to narrow down the results to 7 days or 24 hours..
Still new to PS

By: Sal

Sal — Mon, 13 Apr 2009 19:55:17 +0000

This script is great. Do you know of a way to add multiple host and filter by, say last 7 days?

Thanks