Tuesday, July 5, 2011

Get-Winevent Part III: Querying the Event Log for Logons (Part D)

In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider types for these events.  Then I used '-filterhashtable' with an array of multiple security EventIDs whose select 'Message' fields I searched with 'findstr' for specific properties relating to logons.  In this post (Part D),  I pull this all together, creating a timeline of multiple security EventIDs whose select 'Message' fields I pump into a spreadsheet for further analysis.


Here I get the desired 'logon' events into spreadsheet format:

$EventLogonIDs="4611","4624","4625","4634","4647","4648","4672","4774","4775","4908","4964"
$MultipleIDLogEntries=Get-WinEvent -FilterHashtable @{Logname='security';Id=@($EventLogonIDs)}
foreach ($item in  $MultipleIDLogEntries) {($item | Select TimeCreated, Message | fl * | findstr /G:search.lst) -replace"  ","" -join "," | out-file -append test5.csv }


where search.lst :

TimeCreated
Security ID:
Account Name:
Account Domain:
Logon ID:
Logon Type:
Logon GUID:
Process Name:


Now I get the desired 'sleep' events into spreadsheet format. (My original concern was understanding a why my Windows 7 PC spontaneously "resumes from sleep" by itself and seemingly commences a log-on.)

$EventLogonIDs="1","42"
$MultipleIDLogEntries=Get-WinEvent -FilterHashtable @{Logname='system';Id=@($EventLogonIDs)}
foreach ($item in  $MultipleIDLogEntries) {($item | Select TimeCreated, Message | fl * | findstr /I /G:search.lst) -replace"  ","" -join "," | out-file -append test6.csv }


where search.lst :

TimeCreated
sleep



Now I mux the two data sets and output the combined csv:

$a=gc .\test5.csv
$b=gc .\test6.csv
$c=$a+$b
$c | out-file test7.csv

Once I translate the csv to a spreadsheet's native format, add column headers, format the Date/Time Column (the unique identifier for our purposes) and sort by Date/Time, I have a story book of events for the muxed security (e.g. 'logon') and system (e.g. 'sleep') events:


Next we need to discuss how to add additional Security auditing events to our storybook in Part E.

No comments:

Post a Comment