Sorting Windows events by UserID

Sorting Windows events by UserID is a critical piece of auditing. In the code and examples below, I concentrate on:


$Logs="System","Application","Microsoft-Windows-GroupPolicy/Operational"


purposefully leaving out the Security log. We can create a simple function that allows us to check all events logs on any machine sorted by file size:

function CheckEventLogsBySize
{
get-winevent -listlog * | Sort -desc FileSize |
ft -auto LogName,@{Label="FileLogSize(MB)"; Expression={$_.FileSize/1MB}},@{Label="MaxLogSize(MB)"; Expression={$_.MaximumSizeINBytes/1MB}},LastWriteTime,IsLogFull 
}

Get-Winevent Part III: Querying the Event Log for Logons (Part E)

In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider types for these events.  Then I used '-filterhashtable' with an array of multiple security EventIDs whose select 'Message' fields I searched with 'findstr' for specific properties relating to logons.  In Part D,  I pull this all together, creating a timeline of multiple security EventIDs whose select 'Message' fields I pump into a spreadsheet for further analysis. In Part E (below), I tie in additional auditing events, specifically connections permitted by the Windows Filtering Platform:

Get-WinEvent, EventLogs, ETL, Providers on Win7 Part III

Microsoft has exposed substantial providers since XP. With Windows 7, Microsoft has increased the number of providers substantially over previous versions of Windows and added 'netsh trace' functionality to enable tracing, conversion, batching of these kernel level counters. In the commands below, I have mixed cmd shell, powershell, cygwin cmds to parse ETL files. In  general, parsing etl files with 'get-winevent' and powershell takes a while...  You can understand 'netsh' filtering best with 'netsh trace show CaptureFilterHelp', however I recommend setting your 'netsh trace start maxSize=' parameter at 150 MB or less. (The default is an almost unworkable 250MB.)

Get-Winevent Part III: Querying the Event Log for Logons (Part D)

In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider types for these events.  Then I used '-filterhashtable' with an array of multiple security EventIDs whose select 'Message' fields I searched with 'findstr' for specific properties relating to logons.  In this post (Part D),  I pull this all together, creating a timeline of multiple security EventIDs whose select 'Message' fields I pump into a spreadsheet for further analysis.

Get-Winevent Part III: Querying the Event Log for Logons (Part C)

To list Opcodes, Event IDs, Event Descriptions from any group of provider's (e.g. Securit*) events, you can use:

$ProviderNames=get-winevent -listprovider microsoft-windows-Securit* | % {$_.Name}
$ProviderNames | % {((get-winevent -listprovider $_).events) | format-table @{Name="Opcode"; Expression = {$_.Opcode.Name}},ID,Description -auto -wrap}

Get-Winevent Part III: Querying the Event Log for Logons (Part B)

This is a long post that I've edited from a answer I gave on Stack Overflow.  Although the post is about how to audit logon information in the Security log of Windows 7, it is also about discovering methods to extract critical information from the 'Message' field of a "Logon Type" (ID=4624).