SEC505
  • Welcome to "Securing Windows with PowerShell: A Deep Dive into SEC505"
    • Sec 505.1
      • Intro to Ps
      • Tips for Executing Commands
      • Getting Help in PowerShell
      • Aliases in PowerShell
      • Objects, Properties, and Methods
      • Get-Member (Alias: gm)
      • Drives and Environment Variables
      • Your Profile Script(s)
      • Functions, Cmdlets, and Modules
      • The PowerShell Gallery
      • Exporting, Importing, an d Converting Pages Reusable content Files Object Data
        • Select-Object (Alias: Select)
          • Arrays Are like In-Memory Database Tables
      • Search Event Logs
      • Hashtables and Splatting
      • Flow Control (All in one)
      • Functions
Powered by GitBook
On this page
  1. Welcome to "Securing Windows with PowerShell: A Deep Dive into SEC505"
  2. Sec 505.1

Search Event Logs

PreviousArrays Are like In-Memory Database TablesNextHashtables and Splatting

Last updated 2 months ago

PowerShell provides powerful tools for querying, filtering, and analyzing Windows event logs. Whether you're working with local or remote logs, PowerShell allows you to extract meaningful information and generate reports. This guide covers the use of Get-WinEvent, Get-EventLog, and advanced techniques like XPath queries and hash table filters.

1. Introduction to Event Logs

Windows event logs store critical information about system events, security incidents, and application activities. PowerShell allows you to:

  • Query logs on local or remote systems.

  • Filter logs based on specific criteria.

  • Export logs to formats like CSV or HTML for further analysis.

2. Using Get-WinEvent

The Get-WinEvent cmdlet is the modern way to query event logs. It supports both classic logs (System, Security, Application) and newer logs introduced in Windows Server 2008 and later.

Listing Event Logs

To list all available event logs:

Get-WinEvent -ListLog * | Select-Object LogName | Sort-Object LogName

To list logs starting with "S" on a remote computer:

Get-WinEvent -ListLog S* -ComputerName "server47"

Querying Specific Logs

To retrieve the last 20 events from the System log:

$logData = Get-WinEvent -LogName System -MaxEvents 20

To export the last 2,000 events from the Application, Security, and System logs to a CSV file:

$events = Get-WinEvent -LogName Application -MaxEvents 2000
$events += Get-WinEvent -LogName Security -MaxEvents 2000
$events += Get-WinEvent -LogName System -MaxEvents 2000
$events | Sort-Object -Property TimeCreated |
    Select-Object -Property MachineName, TimeCreated, LogName, ID |
    Export-Csv -Path EventData.csv

3. Filtering with Get-WinEvent

Using Hash Tables

Hash tables allow you to filter logs based on specific properties. Supported properties include:

  • LogName

  • ProviderName

  • ID

  • Level

  • StartTime

  • EndTime

Example: Filter by Event ID To retrieve events with ID 4624 from the Security log:

Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4624}

Example: Filter by Time Range To retrieve Security log events between 5 and 3 days ago:

$Day5Ago = (Get-Date).AddDays(-5)
$Day3Ago = (Get-Date).AddDays(-3)
Get-WinEvent -FilterHashTable @{LogName="Security"; StartTime=$Day5Ago; EndTime=$Day3Ago}

Example: Filter by Log Level To retrieve Warning events from the Application log:

Get-WinEvent -FilterHashTable @{LogName="Application"; Level=3}

Example: Filter on Remote Computer To retrieve the last 10 Critical, Error, and Warning events from the System log on a remote computer:

Get-WinEvent -FilterHashTable @{LogName="System"; Level=@(1,2,3)} -MaxEvents 10 -ComputerName "server47.testing.local"

4. Advanced Filtering with XPath Queries

XPath queries allow for more complex filtering. You can use the Event Viewer to generate XPath queries and then use them in PowerShell.

Generating XPath Queries

  1. Open Event Viewer.

  2. Right-click a log and select Filter Current Log.

  3. Configure the filter on the Filter tab.

  4. Switch to the XML tab and copy the XML query.

Using XPath Queries in PowerShell

To retrieve Critical, Error, and Warning events from the System log in the last 24 hours:

$query = @'
<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
  </Query>
</QueryList>
'@
Get-WinEvent -FilterXml $query | Export-Csv -Path .\searchresults.csv

5. Using Get-EventLog (Legacy)

The Get-EventLog cmdlet is older and less efficient than Get-WinEvent. It downloads entire logs before filtering, making it slower for remote queries.

Listing Event Logs

To list event logs and their settings:

Get-EventLog -List

Querying Specific Logs

To retrieve the last 20 events from the System log:

Get-EventLog -LogName System -Newest 20

Filtering Logs

To retrieve Warning and Error events from the last 500 System log events:

Get-EventLog -LogName System -Newest 500 |
    Where-Object { $_.EntryType -match "^Warning|^Error" }

To retrieve the last 10 user account creation events from the Security log:

Get-EventLog -LogName Security |
    Where-Object { $_.EventID -match "^624$|^4720$" } |
    Sort-Object -Property TimeGenerated |
    Select-Object -Last 10

6. Writing and Clearing Event Logs

PowerShell also provides cmdlets for managing event logs:

  • Clear-EventLog: Clears event logs.

  • Write-EventLog: Writes custom events to a log.

  • Limit-EventLog: Configures log size and retention policies.

Example: Clear Logs on a Remote Computer To clear the System and Application logs on a remote computer:

Clear-EventLog -LogName System, Application -ComputerName Server57

7. Appending to Custom Logs

You can create and manage custom logs using Add-Content and Import-Csv.

Example: Append to a Custom Log

Add-Content -Path "C:\Logs\CustomLog.txt" -Value "New log entry"
Page cover image