PowerShell Tutorials Event Viewer #3 : Get-WinEvent (Filter by Hashtable)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and welcome to part 3 of this powershell tutorial series based around commandlets for the event viewer so in the last two videos we've seen get event log in the first video and then get win event in the second video in the second video we mostly focused around the xml filtering and the xpath filtering so in this last video for this series of really getting to know these commandlets we're going to be looking at the filtering by hash table for the get win event commandlet so we're going to be building out a very similar um query to the ones that we've seen in the past just so we can actually just recreate the same filter all three different ways and then giving you guys the ability to pick which one is best for you and also best in the scenario that you're trying to figure out or just kind of do the least amount of scripting possible for the result that you would want to get because there's really no point in doing xpath if all you really want to do is just do a very very simple filter xml might be a lot easier or the hash table if you prefer hash tables might be even easier for you guys so let's go ahead and let's get started by first creating a variable called filter and we're going to create this as a hash table so as we know it is just an at symbol and then open and close curly brackets and we're just going to make some space in here and then now that we have our filter we are also going to do our get win event and then in here we're going to put the parameter of filter hash table and we're going to put our filter in here now we aren't assigning this to a variable just yet so i just want to show you guys um how this kind of works so right now if we execute this nothing will work because we are not specifying even the log that we want so let's go ahead and let's do a log name up here in the filter and we're going to set that equal to security so once we have that in there we're going to see that we're getting all of our security events uh so very very similarly um to this where we actually just do the log name security or in here where we do the xml uh we have the path here for security so very very similar already and then what we want to make sure that we do is we always want to grab these these when microsoft windows security auditing events so in here so this is the provider name so for the hash table here that is just going to be provider name and then we're gonna make that equal to single quote oops single quote and let's just copy this again perfect and we're gonna make that equal to microsoft windows security auditing and then we know that the event id that we need is going to be 4625 now in the hash table filter it is actually not considered a event id but all we're actually going to be looking for is just the word id so as we can see here in our results we get just id so let's do id equals single quote single quote and then inside of that we're going to put 4625 so if we run all of this now we only get our failed login attempts and as you can see we get all of them for the last couple days here so there's no time filtering yet on these so to do the time filtering we are going to have to do a start time and then we're going to make that equal to our dollar sign open close parentheses and do a get date inside of there and then a dot add hours and then a minus one to get us the last hour so right now if i do this we aren't going to get anything so let me go ahead and send some events here so we can actually get some failed logins all right so that should be good so now if we run this here we are so now we can see here it is the 22nd of january and it's just afternoon and we can see that we have six failed logins now so let's go ahead and let's assign this to the variable called events and now we can actually go ahead and we could go into our scripts that we had yesterday or the other day i should say not yesterday but we could go ahead and we could just grab all of these all this code here that we used to do which was creating a log variable and then going through the events and grabbing the specific properties that we wanted and then we group them by the username so if we actually run this once again we can actually see that we get very very much the same results but doing this filter by hash table now there are a little bit of limitations to the filter by hash table but there are also some quite some advantages that are a little bit easier to do by hash table so let's say we only wanted to do um events between certain times the hash table we could easily do a end time as well so uh what we could do here is we could do get date and then we could do a year let's do 2022 and then the date let's do 17th i'm going to want to get all the events that just weren't today um so let's do the date the 17th and then the month we're going to do the first and then for the start time we are going to do um year is going to be 2022 oh actually date is going to be the 17th month is going to be one and then the end date we're just going to put that to 21st so now if we do this i think we should in theory get let me just see what this actually equals out to be uh january 1st that oh actually i selected the wrong this should be date and not date so once we have that figured out here let's go ahead and let's select everything so here we are so now if i just look at the log events so here's all the logs that we have and now we don't have the time of these so we wouldn't actually know if this query actually worked so let's go ahead and let's just add this in here into our log event our log entry i should say so let's do a add member at the top our input object is going to be a log entry because we are inserting into our log entry our member type is going to be a note property our name is going to be time and then our value is going to be event because our for each loop is going for the event and then in here there should be a time created so that should be good so let's go ahead and let's just remove this group object and let's see what this looks like now so here we are so we're seeing a whole bunch in the 17th here and then a bunch on the 19 and that's it but now if we just do um the 17th to the 18th we can see that we only get the 17th now if we wanted to get all the way to today we could put the end date as the 20 bird and let's see what that looks like so we can see that we see all the 17 here give me one second all the 17th the 19th and the 22nd comes up as well so um the filter hash table is definitely very useful i would say the filter hash table is probably the easiest for doing a start and end time if you want to look at a specific time and then the xpath is very very useful if you have the need to specify a user now the hash table you can specify a user but that will only work on versions of powershell 6 and up so right now i'm still currently using for these videos powershell 5.2 but i will be doing a video very soon on how to install powershell 7 and then after that video we will be using powershell 7.2 i believe that they're at now and we'll be using that from then end but the filter hash table does have some additional filtering options in powershell 6 and i will actually post a link to that documentation because in powershell 6 and later you would actually be able to do filtering on this target username in a hash table which would really make xpath and hash table pretty identical in terms of flexibility and i would say that the hash table is a little bit easier to write because there's just not as much of a learning curve as learning another query language and then the xml is very very easy if you don't have anything very specific you just want to look for a specific type of event um for like the last hour or something it's very very easy you go into event viewer you kind of create your filter in event viewer and then just copy paste that xml directly into your powershell and then the get event log is very useful if you just have a very basic um query now the only thing about event log is i believe it is actually uh deprecated at this point um so i definitely wouldn't recommend using event log i would always recommend using win event um in any of these ways uh one they're a lot faster and they're just a lot more flexible in what you can get out of them and i know that they are still around i don't know get event log i'm using windows server 2019 on our 2016 on this uh so on 2016 it's definitely still around i don't know about on 2019 i believe it still is but i believe they're trying to get away from it i could be wrong on that but that would be my event viewer uh overview of all the different commandlets we'll be doing some projects that will actually integrate some of these scripts later on so definitely be on the lookout for those and we might actually integrate some rest ps in that as well so if you guys like this video leave a like and a comment down below and please subscribe and hit that notification bell to be notified when that next video comes out i will see you on the next video

Info

Channel: JackedProgrammer

Views: 3,314

Rating: undefined out of 5

Keywords: powershell basics, powershell, windows powershell, programming, coding, scripting, powershell scripting, powershell scripting tutorial, powershell tutorial, event viewer, event logs, get-eventlog, log, events, xml, hashtable, powershell scripting for beginners

Id: hIMcQqqtxq4

Channel Id: undefined

Length: 12min 13sec (733 seconds)

Published: Mon Jan 31 2022