Powershell Get-EventLog and Security Event Log (Network Steve Forum)

Powershell Get-EventLog and Security Event Log

Hello Community,

I am running the following command from a ps script:

Get-EventLog -LogName Security -After $startDate -Before $endDate -ComputerName $strServer

which works perfectly getting the events from any remote server on my domain. The query basically collects all events produced in a single day. What concerns me is the number of logon/logoff events that the command is producing on the server. Has anyone seen similar behaviour when running the command on a remote server? Does anyone have a suggestion on how to avoid? I am not able to reproduce when running locally.

September 27th, 2013 7:09pm

Not sure if you can supress them, as in order to run it, your account is "logged on" the server, even though are not physically doing so. I would only see it having to do one logon, run the script and then log out, is that not the case?

Free Windows Admin Tool Kit Click here and download it now

September 27th, 2013 7:32pm

Hi, yes, actually realize that the initial logon is needed to run the script. The problem is that it is producing about 3,000+ entries on average for the single account running the script during the period the script is running. Which is what is a concern f

September 27th, 2013 7:44pm

That does sound like an issue, Have you tried using the Invoke-Command cmdlet, rather than the -ComputerName param, to see if it does the same thing?

Of course you will need PS Remoting enabled to do so.

Free Windows Admin Tool Kit Click here and download it now

September 27th, 2013 7:51pm

Hi, I have an update on the above... after a closer investigation I have found that the issues are happening only on servers running W2K server. I think this is related to the version of .net framework or how PS does the qeuery to the server. I will investigate further but thanks for suggestions.

September 30th, 2013 11:58am

Hello Aramane,

Your Script is really nice, for my side I would like to get all the logon/logoff from all my dc for monitoring who is doing what and at what time(Only from admin don't know how to manage). I'm not so good with Script I tried many things, could you help me on with this?

# Variables to use in the script
$txtServers = "Serverslist.txt"

# Collect the server names to check logfiles
$strServerNames = Get-Content -Path "C:\tmp\$txtServers"

# Collect the start and end dates to check event log
        $startDate = Get-Date -Format dd.MM.yyyy
        $startDate = Get-Date $startDate
        $startDate = $startDate.AddDays(-1)

        $endDate = Get-Date -Format dd.MM.yyyy
        $endDate = Get-Date $endDate

$eventList = @()
Get-EventLog -LogName Security -After $startDate -Before $endDate -ComputerName $strServerNames` | Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10 -and $_.ReplacementStrings[5] -notlike "*$"} `
    | foreach-Object {
        $row = "" | Select UserName, LoginTime
        $row.UserName = $_.ReplacementStrings[5]
        $row.LoginTime = $_.TimeGenerated
        $eventList += $row
        }
$eventList

Free Windows Admin Tool Kit Click here and download it now

January 14th, 2014 7:50am

Hi, can you please try running the following query to see if it helps with the issues and you are able to get needed resutls. I am not quite sure what information you are trying to extract so the below is just a guess:

Get-EventLog -LogName Security -After $startDate -Before $endDate | Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10 -and $_.ReplacementStrings[5] -notlike "*$"} | foreach-object { $row = "" | Select UserName, LoginTime; $row.UserName = $_.ReplacementStrings[5]; $row.LoginTime = $_TimeGenerated; $eventList += $row}

January 14th, 2014 1:04pm

This topic is archived. No further replies will be accepted.