Created
May 18, 2016 21:58
-
-
Save NicholasLeader/e938be159071f72f62c76e37dbb71af8 to your computer and use it in GitHub Desktop.
PowerShell example of parsing Windows Event log, doing admin detection, as well as writing to log file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Nicholas Leader | |
| 05/18/2016 | |
| Example of parsing of a Windows Event log, then writing to the host and a log file if a certain eventID detected | |
| #> | |
| ## requires section Reference: http://serverfault.com/a/676573/355259 | |
| ## detecting if the script is run as admin and kicking it back if it isn't (veiwing the security log requires local admin access | |
| #Requires -RunAsAdministrator | |
| ## grabbing the 'security' eventlog on the local host | |
| ## using the 'after' argument with a custom date to grab logs after yesterday | |
| ## filtering on the wildcard of '*boot*' to get eventlogs with containing info about boot | |
| Get-EventLog -LogName Security -After (get-date).AddDays(-1) -Message '*boot*' | | |
| ## piping to where-object to further filter the results to only those containing 'instanceID' or '4826' | |
| Where-Object { | |
| $_.instanceID -match '4826'} | | |
| ## looping over each of the piped objects | |
| ForEach-Object { | |
| ## writing to both the host as well adding the 'eventID' to a log file 'example.txt' | |
| Write-Host $_.EventID "instance found"; $_.EventID >> C:\test\example.txt} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment