PowerShell Tutorials Event Viewer #1 : Get-EventLog

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and welcome to this powershell tutorial video in this video we're going to be looking at how to automate the event viewer in windows so this can be done on windows server or your own windows 10 or windows 11 machine because they all have an event viewer which is basically just to see um different events whether links to applications if you have an application that's crashing it'll leave events in the event viewer um or also security events so failed logins is often something that i would look at um through event viewer uh to see if someone is trying to get into an account that they shouldn't be getting into and then putting in place in the firewall rules to block it or uh maybe it's just someone that doesn't know their username so you can proactively go help them out so something uh that i would be looking for would be something like this so we have a bunch of failed logins here so we have a failed login we have another one we have another one and we have a few more here now all of these logins are actually happening on an account of they're trying the account admin so i did a whole bunch of attempts on a user name that does not exist uh which is admin on my domain and i just put in like random passwords which i knew would wouldn't work but just to give us like a good base of what we're going to be working with so in this video we're going to be using the get event log commandlet i'll be covering the get win event in a different video just because they are two different commandlets uh the get event log is definitely more basic easier to use it takes a little bit longer to query i find uh especially depending on how you structure your query for get win event you could make the get win event commandlet go very very fast so we'll be seeing both of those throughout the next couple videos so let's go ahead and let's get started with the get event log so firstly the commandlet is just get event log and we have a bunch of options uh which is log name computer name newest after before username instance id index entry type source message so we definitely have a whole bunch here so what i like to do is we're going to be getting the failed logins so the log name that we're going to be looking for is going to be the security log so if i just do security here and we just run this first command so here we are we're just getting all the events related to security but as you can see this is getting everything including the successful logins so we want to filter that a little bit more so if i come back to the event viewer i can see that the source is coming from uh you can't see the whole word here this window is not quite big enough uh but if we go into details here and we open up system we can actually see that the source is microsoft windows security auditing so what i would do is i would copy this and then for the source you could just paste that in here so that will add that it only gets the security auditing which pretty much is only going to be the type of events that you're getting in security unless you have different roles installed on your server in which case uh you definitely might have some different sources especially if you have like a network policy server or anything like that but let's do these source for now and then what we want to do is uh we simply want to get um the errors um so we know that the all the audit failures are actually uh four six two five for the event ids uh or their audit failures so there's two ways to do this uh the first way is by using one of the properties here which is actually entry type now entry type we actually have failure audit right here so if we actually run this we're going to get all of our failed logins now i can actually do a different way which is going to be i just have to wait till this finishes this is kind of what i mean like the event log definitely works it gets your events pretty quickly but there is definitely a slight uh timing uh it does take quite a bit of time so another way that we could do is we can look by instance id now the instance id is going to be your event id so in our case it's going to be 4 6 2 5 is what we're looking for so if we do that we're gonna again get all of our failures so there's two ways um with the get event log uh depending on what you're looking for i would probably just use the uh entry type it's a lot easier your preloaded data there now what i would like to do typically is i would really only like to see the events in the last hour so as we can see here we have a bunch that happened at 10 o'clock and then we have one that happened at 8 58 which was another one of my tests there so let's just do after and then what i like to do here is i like to do a uh just like a variable wrapper so a dollar sign open parenthesis close parentheses and do a get date and what i like to do is do a dot notation afterwards and do add hours and then we add negative one hours so in fact it subscript it subtracts an hour so if we do this we only get the events that happen in the last hour we don't get that one from 858 we only get the ones from 10 but that is currently 1006 uh where i am right now filming this video so this is definitely how you would filter that now we have all of our events now what we could do is we could store this in a variable so let's store it in a variable called events let's store that in here so this is something that i would probably run like every hour and just kind of see what type of data you're getting especially if it's something that you're wanting to investigate because you're finding an account locks out every so often you want to figure out where is this coming from can i potentially fix this uh by blocking an ip that is constantly trying to access that account causing event account lockouts so we can do a for each event in events here and then what i like to do is i like to just run this um blank just so i could preload the dot notations and make my life a little bit easier so now if we do event we can see everything that it gets but what i like to do is i like to do a select star here so just pipe it to select star or if you want to use the long version select dash object star so if we run this here we get the full um event here so we can see that we get an event id we get a machine name which is your server like the server that i'm getting the event viewer from and then we can see like the index number we can see the category category number event uh the entry type and the message we can see that the message is for the account name admin but we see that the message is just like a text field like not very easy to work with uh we can see the source uh we get replacement strings which we'll be looking at in just a moment then the instance id and then the time generated and then the time written the username site and container so what i like to look at is the replacement strings so let's go ahead and let's do event dot replacement strings and let's just look at that so this is what we get back so this is all the data that's actually inside the message for each of the fields so what i like to do is i actually like to grab these and store them into variables themselves so an easier way to actually see what variable what values you need to take in so let's just look at event dot message so here we have the message let me just make this bigger for you guys so here we have the message um we can see that the security id is just a sid that does not exist and then we have a security id again it doesn't exist the account name is admin the account domain was on the jacked domain we can see that the workstation name that made the attempt uh was laptop 425 ueec and then the source network address was 172.30.123.10 and it was attempted over ntlm so we have quite a bit of data from this message but none of it's really useful for us because it's just in a text field but if we look at the replacement strings we can actually see all those values so i know this is the username this is the domain this is the call um the workstation name that called it and this is the ip from that workstation so these are going to be the values that i want to grab from that type of event so what i would do in order to find this easier because otherwise you're going to have to guess which value in the array that it is and 5 is the username i know that from previous experience but this is not something that would be very easily guessed just by looking at this you'd have to count and sometimes you just lose track of that count in your head so what i like to do is i like to do a four each and then we're gonna open up a parenthesis and we're going to do a dollar sign x in zero dot dot dollar sign event dot replacement strings dot count then we're going to close the parentheses open and close curly brackets and then in here we're going to do a right output and then open close quotations and we're going to do a dollar sign x then all i i like to do is a dash and then we're going to do a dollar sign open and close parentheses to hold a variable because we're going to be doing a dot notation inside of a string then we're going to do event dot replacement strings and then open and close square bracket and we are going to reference our x number here so let me just bring this down so you guys can actually see the whole thing but let's just see what this gives us now as we can see we get an index number or the array index number for each value here so this makes it very very easy so then all i can do here is then start doing this so user tried is going to be event dot replacement strings 5 domain tried it's going to be event dot replacement strings and that's going to be six now we want to grab the computer name so uh client name from gonna be event dot replacement strings and that's going to be vert team and then we're going to have our client ip from which is going to be event dot replacement strings and then we can do that for 19. so that's that so then what i'm just going to do i'm going to delete this for each statement here so all we're doing is we are grabbing the values exactly that we need and then what i can do is i could then go ahead and we can create a um object here so let's just create an object called uh log and we're going to just create it as an empty array and let's actually just cast this to system dot i believe it's dot uh dot collections dot array list so now we have a log which is an arraylist so we can easily add to it and then we're going to have our log entry here which is going to be a new object and then we're going to do a type name of ps object and then what we're going to do is we're going to go ahead and do a add member and then we're going to do input object is going to be our log entry and then our member type is going to be a note property and then we're going to do a name which is going to be the user tried and then the value you guessed it we're going to put user tried here so we're going to do this for each value that we are taking in so we're going to do domain tried and then clients name from and we're going to do client ip from domain tried client name from and then client ip from so here we are and then all i like to do is do log dot add log entry and then what i like to do just to remove the output is just do a square bracket void square bracket so now what we can do here is if we run this full script it might just take a few minutes here just to go through the actual event log now here we are so here's all the um wrong logins so we know that the user tried was admin domain tried client from it's all the same client ip problem is all the same so we could probably know that this was a password spray now what i would usually do since we have this going for the events in the last hour what i would probably do this is i would make a scheduled task that would run this every hour on the hour and store this into a database or send this by email and give me the results just so i could properly investigate and see what's going on but when you have this in an event like what you could do is you could do a group object by um client name from and there we are so we have um the count here and we have the name uh so we have a whole bunch we can group this by the different clients so we can see how many attempts each client has made or if we wanted to just do uh the client ip from how many attempts did the client make or if we wanted to do as well so if i actually do this for more than one hour let's just do four hours here for the failures and then i do user tried for the group object and we just run this entire thing we're gonna see that we can actually see the two users completely separated so it just gives you a lot of flexibility and it really depends on what type of scenario you're looking for but if you're trying to investigate to see what type of accounts are being hit a lot um you might want to just do it this way so we grabbed all the entries in our security log we can see that the admin was tried eight times so maybe we want to investigate more on the admin so then what i would do is i would come in and do log and then pipe this to where object user tried and then dash equals or eq and then admin and then what i would do is i would come in here and then i would have all the attempts and i could easily say oh wow like this ip is trying to password spray the admin let's do something about it let's block this ip uh so that's very very easy or in the case of maybe uh let's say it wasn't admin it was a regular user account and that user is constantly being locked out all right we see that the all the logins are coming from this laptop at this ip address did you maybe recently change your password and you just forgot to update your password on this device uh let's say they have an iphone and you see that it's coming from their iphone that they just haven't updated their password on their exchange uh maybe and they're logged constantly logging in and constantly hitting that server locking them out so those are all different scenarios that i've encountered anyways in the past so hopefully that helps you guys with getting some event um logs and and events out of the event viewer uh with the get event log commandlet in the next video we'll be looking at the get win event commandlet uh which has some slightly different options and is definitely a lot faster than the get event log uh if you know how to use it properly with the different options that you get otherwise it could be very much a similar performance but i'll be showing you guys how to use the xpath and the filter by xml uh and maybe i might even get into the hash table filtering although that one is a little bit more complicated i prefer the xpath and the xml since those are a little bit easier to kind of figure out uh what type of query you need to to put in so it like comment and subscribe and hit that notification bell to be notified when that next video comes out and i will see you guys on the next video

Info

Channel: JackedProgrammer

Views: 12,044

Rating: undefined out of 5

Keywords: powershell basics, powershell, windows powershell, programming, coding, scripting, powershell scripting, powershell scripting tutorial, powershell tutorial, event viewer, event logs, get-eventlog, log, events

Id: 0V8c4tkAAWE

Channel Id: undefined

Length: 19min 54sec (1194 seconds)

Published: Mon Jan 24 2022