Eventlogs
Powershell
When you want to read some logfiles from a remote server you can use several ways. One that I like is:
$logs=Get-Eventlog application
$logs[0]
$logs[0].MachineName="Remoteservername"
$logs[0] | Get-Member
$logs[0].Entries
Another nice one is listed here
You would then run the command like this:
.\Get_eventsByWMI.ps1 -computer servername -eventid 6005
You would then see when the computer was started
When you want to see the events that occure the most frequently type
$events = get-eventlog -logname system -newest 1000
$events | group-object -property source -noelement | sort-object -property count -descending
Another very usefull command is to look for account lockout's through the eventlog from your domain controller
GET-EVENTLOG –LOGNAME Security –COMPUTERNAME "domaincontrollername" |Where-Object { ($_.EntryType –eq "FailureAudit") –and ($_.Message –like "*jim snell*") } | Select Message, TimeWritten, EventID | Format-Table -auto
What is also useful is to go through the eventlog with powershell of a print server. Grab the username that has the problem of all error print failures
GET-EVENTLOG –LOGNAME System –COMPUTERNAME servername -Source 'print' | select-string -inputobject {$_.message} -pattern "John Doe"
Or if you want to see all the error event-entries in the application log of today:
get-eventlog application| Where-Object {$_.EntryType -eq "Error"} | Where-Object {($_.TimeWritten).Date -eq (Get-Date).Date}
To play with the date let's say I want to see all the event-entries that occurred on december the fifth, if today is 2-1-2012
get-eventlog application| Where-Object {$_.EntryType -eq "Error"} | Where-Object {($_.TimeWritten).Date -eq ((get-date).date.adddays("-28"))}
If you are using WMI you can also do:
$logs = [System.Diagnostics.EventLog]::GetEventLogs('computername')
$security = $logs | ? {$_.log -like 'Security'}
$security.entries[0]
Then you could filter to only show the FailureAudit by typing:
$errors= ($security.entries | Where {$_.EntryType -eq 'failureAudit'} )
$errors | Select -first 1 | format-List *
If you don't like powershell Jeff Hicks placed a good post on how to search the logs from the command line using wevtutil
This will grab the application log and take reverse direction (most recent first) showing only 5 events output in text instead of XML
wevtutil qe application /rd:true /c:5 /f:text
See his complete post at Jeff Hicks petri.co.il
When you want to find out when a user has been unlocked look at the domain controller, keep in mind that there is probably more than one domain controller that could have this information:
Get-EventLog security -computername NameOfDomainControllerComputer | Where {($_.EventID -eq '671') -and ($_.Message -like '*Username*') } | Select TimeGenerated
I am using here time generated to find a pattern in when the user call that he or she has been locked out.
Here is another great way to see all events that happened before and after a time
$eventsapplication | where { ($_.EntryType -eq "warning") -or ($_.EventType -eq "FailureAudit") -and ([datetime]$_.TimeWritten -lt "3/22/2012 4:39:27 PM") -and ([datetime]$_.Timewritten -gt "3/22/2012 0:00:00 AM") }
here I have taken all warning and failures from a date starting at midnight that day untill 4:39:27 PM
When you want to look in the eventlog when a workstation (windows 7) is unlocked (and audited) you would search like:
EventID -eq 4801
get-eventlog security | Where {$_.EventID -eq 4801}
page revision: 16, last edited: 11 Feb 2014 14:33
