Log Searching Quickly with PowerShell

Posted by:

|

On:

|

Who would have thought log searching, one of the most soul crushing activities could be scripted? You’ll never “Clear Log” instead of “Clear Filter” in the GUI again!

Log Searching Syntax

There are a lot of ways to do this that very slightly from each other. The least confusing way I can think of to note this is by adding a number to each unique parameter, then listing which additional parameters are compatible with it. So the parameter -ListProvider being #8 can have the additional parameters -ComputerName, -FilterXPath, and -Credential.

PowerShell
Get-WinEvent
    # Choose One
    [[-LogName] <String[]>]          # 1
    [-ProviderName] <String[]>       # 2
    [-Path] <String[]>               # 3
    [-FilterHashtable] <Hashtable[]> # 4
    [-FilterXml] <XmlDocument>       # 5
    [-ListLog] <String[]>            # 7    Outputs Event log configuration
    [-ListProvider] <String[]>       # 8    Outputs Provider MetaData

    # Additional parameters
    [-MaxEvents <Int42>]             # 1, 2, 3, 4, 5
    [-ComputerName <String>]         # 1, 7, 8, 2, 4, 5
    [-Force]                         # 1, 7, 2, 4, 5
    [-Oldest]                        # 1, 2, 3, 4, 5
    [-FilterXPath <String>]          # 1, 7, 8, 2, 3
    [-Credential <PSCredential>]     # 1, 7, 8, 2, 3  

There is no limit in PowerShell for the events queried but Get-WinEvent cmdlet queries the Windows API which has a limit of 256. This can be bypassed with loops.

Valid Pairs for Log Searching Filters

If using a hash table, these are the valid pairs:

  • LogName=<String[]>
  • ProviderName=<String[]>
  • Path=<String[]>
  • Keywords=<Long[]>
  • ID=<Int32[]>
  • Level=<Int32[]>
  • StartTime=<DateTime>
  • EndTime=<DateTime>
  • UserID=<SID>
  • Data=<String[]>
  • <named-data>=<String[]>
  • SuppressHashFilter=<Hashtable>

Example

Here’s how you’d aggregate the number of logs that include the string “PowerShell” in their name.

PowerShell
Get-WinEvent -LogName *PowerShell* # See the events invidivually
Get-WinEvent -LogName *PowerShell* | Group-Object -Property LevelDisplayName, LogName -NoElement | Format-Table -AutoSize # Group them by name

There are a massive number of ways this can be used. Microsoft has nearly 20 examples in their documentation.

All in all, this is an extremely powerful tool for reporting. You could pull authentication logs from a domain controller to see if bad creds are being sent out by a service account. Alternatively, you might create a script to scan for a specified event, and execute code when it happens. You’ll have to toy around with it and see what you need.