Many people use a command-line utility named LogParser to investigate logs
produced by Windows products. An alternative exists for interrogating Windows
event logs: the Get-Event-Log cmdlet in Windows PowerShell. PowerShell is Microsoft's
new command line shell and scripting environment built on the Windows .NET Framework
2.0.
PowerShell supplies a number of built-in cmdlets (pronounced command-lets)
that you can use from the command line or a script to administer a Windows
environment. You can use the Get-EventLog cmdlet to obtain information about
event logs and the events they contain. For example, the command
get-eventlog -list
generates a list of event logs on the system. Besides each event log's name,
the list includes each event log's retention period, overflow action, maximum
size, and number of entries. To obtain information about events in the Security
log only, you can use the command
get-eventlog security
You can link multiple cmdlets by using a piping operator (|) that passes information from one cmdlet to the next. Note that the information is piped in the form of .NET objects rather than text data (which is what happens in most other shell environments). However, most security logs contain too many entries for piping to be useful. Fortunately, PowerShell contains a cmdlet namedWhere-Object (which is usually abbreviated to Where) that you can use to filter information. For example, if you want to check for successful logons that occur outside typical business hours (in this case, between 8 P.M. and 8 A.M.), you can run the following command:
get-eventlog security | where
{$_.EventId -eq 528 -and
($_.TimeGenerated.TimeOfDay
-gt '20:00:00' -or
$_.TimeGenerated.TimeOfDay
-lt '08:00:00' )}
(Although this command appears on several lines here, you would enter it on
one line in the command-shell window. The same holds true for the other multiline
commands in this article.) In this command, you might have noticed
- The $_ symbol—It refers to the object being passed to the pipe. To
find the properties of event log objects, you can run the command
get-eventlog system |
get-member
- EventId—Because PowerShell is based on the .NET Framework, you can
use the .NET Framework's EventID property to obtain information about a specific
type of event. In this case, you're looking for successful logons, so the
event ID is 528.
- TimeGenerated.TimeOfDay—The.NET Framework's TimeGenerated property
represents the date and time when an event was generated. To filter events
only by their time, you can append the TimeOfDay property. The ?gt parameter
specifies the starting time, whereas the ?lt parameter specifies the ending
time.
I've only scratched the surface of how you can use PowerShell to investigate
Windows event logs. I strongly suggest that you download PowerShell Release
Candidate 1 (RC1), which is the most current version at the time of this writing,
at http://www.microsoft.com/downloads/details.aspx?Fa
milyId=2B0BBFCD-0797-4083-A817-5E6A054A85C9&displaylang=en and get familiar
with its cmdlets.
Discovering how you can use cmdlets to administer your systems is a worthwhile
investment of your time.
Register
