Search Event ID Powershell.

reubenhyman1629 · 2022-12-19T22:37:48.000Z

My group got a task Friday to search for Event ID’'s 4660,4663,4625,4776,4777,4720,4722,4725,4726,4724,4732,1104,4657,
4663,4688,5140,5156,617,632,636,643,660. On Domain controllers, while doing the initial search using the Gui, we notice it locks up the system.

I found this on the site and looking at it might be a direction when modified can get the desired results.

Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | Where-Object {$.ID -eq “4100” -or $.ID -eq “4104”}

I was wondering is there a way to do this search using powershell and to place in a file or something

Neally · 2022-12-19T22:43:10.000Z

sure thing

learn.microsoft.com

Get-WinEvent (Microsoft.PowerShell.Diagnostics) - PowerShell

This cmdlet is only available on the Windows platform. The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs. The cmdlet gets data from event logs that are generated by the Windows Event...

e.g.

Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | 
Where-Object {$_.ID -eq "4100" -or $_.ID -eq "4104"}  |
select-object id, Message|
export-csv "someFile.csv" -notypeinformation

reubenhyman1629 · 2022-12-20T00:02:02.000Z

Thanks,

I believe something like this will work, I have no idea how they want his information presented to them.

Thanks

reubenhyman1629 · 2022-12-20T00:08:51.000Z

Maybe I could find a way to edit so that if the ID is not found I would know or run the script one at a time for each ID then I would know if not found.

Thanks

s31064 · 2022-12-22T20:01:05.000Z

Reuben3112:

Maybe I could find a way to edit so that if the ID is not found I would know or run the script one at a time for each ID then I would know if not found.

Thanks

I don’t have a system to test on right now, but I think this modification might give you what you want. It’s going to take longer because you’re checking every error ID separately, but you’ll know what’s found and what’s not.

$Errors = @(4660,4663,4625,4776,4777,4720,4722,4725,4726,4724,4732,1104,4657,4663,4688,5140,5156,617,632,636,643,660)
$Log = 'Microsoft-Windows-PowerShell/Operational'

foreach ($ID in $Errors)
{
  if ((Get-WinEvent -LogName $Log | Where-Object {$_.ID -eq $ID}) -eq $true)
  {
    select-object id, Message|
    export-csv "someFile.csv" -notypeinformation
  }
  else
  {
    "Error $ID not found in $Log"
  }
}

Note that by making the log name a variable, you can create an array of logs and check each log individually just as you’re doing with the error IDs.

mike-crowley · 2023-01-24T00:30:48.000Z

Your approach (and the other comments here) would be incredibly slow. You’re asking it to get ALL logs and then where-object does the filtering. You should filter in the initial query.

e.g.

#Define servers
$DomainControllers = @(
    'serverabc.contoso.local'
    'serverdef.contoso.local'
    'serverghi.contoso.local'
)

#Search filter
$filter = @{ 
    LogName =  'Microsoft-Windows-PowerShell/Operational'
    ID = 4660,4663,4625,4776,4777,4720,4722,4725,4726,4724,4732,1104,4657,4663,4688,5140,5156,617,632,636,643,660
    startTime = (get-date).addhours(-24) # past 24 hours.
} 

#Search
[array]$AllEvents = $DomainControllers | foreach {
    $Counter ++
    Write-Host "Searching $_`. $Counter of" $DomainControllers.Count -ForegroundColor Cyan 
    Get-WinEvent -FilterHashtable $filter -ComputerName $_ -ErrorAction SilentlyContinue | select @(
        "*"
        #CustomProp1
        #CustomProp2
    ) 
}

Write-Host "Done searching."

# do formatting if necessary:
$AllEvents