Specific event to monitor and save.

[Tobias Hallman Participant Topics: 2 Replies: 1 Points: 14Rank: Member]

Hi i need some help. google have not been sucessful in doing so.

 

im trying to create a simple powershell script that will get the specific event from Security logs evenID 12 and 29.

so i created this.

$number = 1

Do {

$computer = Get-Content ‘\\****\NETLOGON\Files\Smartakort events\servrar.txt’

foreach ($Machine in $computer )

    {

       Get-Eventlog -Logname Security -ComputerName $Machine -newest 1000 |

       Where-Object {$_.EventID -eq ’19’}

            Format-Table MachineName, Source, EventID, Message -auto

 }

 write-host “Run” $number

    $number++

    sleep 60

   } While ($number -le ‘1440’)

now this work for the 1 even. but if i wanna get 2 event IDs i have tried a number of Diffrent ways but im only geting 0 result an error are only one of the two queries.

exmp:  Where-Object {$_.EventID -eq ’19’ -or  ’29’} i even tried doing the Where-Object statment twice. to no result.

is it just the way powershell work that it cant in this instance sort multiple values from the result of  “get-events”

 

thanks for all the help i can get.

 

[Mike R. Participant Topics: 5 Replies: 252 Points: 999Rank: Major Contributor]

Piping Get-EventLog to Where-Object could be painfully slow since there are a lot of objects to evaluate.  Get-EventLog has a parameter InstanceID that will take an array of Event ID numbers.  Recommend you use that instead.  I prefer Get-WinEvent thought because it can read the newer Windows logs.  Here is an example of how you can use either one in your situation.

PowerShell

#Using Get-WinEvent $Filter = @{ Logname = "Security" ID = 12, 29 } Get-WinEvent -FilterHashtable $Filter #Using Get-EventLog Get-EventLog -LogName Security -InstanceId 12, 29

1 2 3 4 5 6 7 8 9

#Using Get-WinEvent $Filter = @{     Logname = "Security"     ID      = 12, 29 } Get-WinEvent -FilterHashtable $Filter   #Using Get-EventLog Get-EventLog -LogName Security -InstanceId 12, 29

Recommend reviewing docs:

Get-WinEvent

WinEvent queries with filterhashtable

Get-EventLog

 

[Tobias Hallman Participant Topics: 2 Replies: 1 Points: 14Rank: Member]

thanks alot, that worked great. did just what i wanted. and thanks for the little lesson that speeded up the process by alot.

 

[TonyD Participant Topics: 10 Replies: 201 Points: 987Rank: Major Contributor]

Get-WinEvent using a hash table as Mike has pointed out will be substantially faster then Get-EventLog. In my opinion, you should only use Get-EventLog if your Powershell version does not support Get-WinEvent.

Just my $.02

Also, you wrote: exmp: Where-Object {$_.EventID -eq ’19’ -or ’29’} i even tried doing the Where-Object statment twice. to no result.

I do believe you should have used {$_.EventID -eq ’19’ -or $_.EventID -eq ’29’}

[Mike R. Participant Topics: 5 Replies: 252 Points: 999Rank: Major Contributor]

TonyD05 makes a great point regarding logic operators -or in this case.  I see this error all the time.  When you use a logic operator, both sides of the operator must independently evaluate to $true or $false.  Any value other than 0, “” or $null will evaluate to $true.

PowerShell

PS C:\WINDOWS\system32> [bool]29 True PS C:\WINDOWS\system32> [bool]0 False

1 2 3 4 5

PS C:\WINDOWS\system32> [bool]29 True   PS C:\WINDOWS\system32> [bool]0 False

So in essence your Where-Object clause would evaluate to {$_ -eq 19 -or $true} meaning that came over the pipeline would continue down the pipe since only one side of the -or needs to be true.

[Author]

Posts