EventLogs PowerShell Search for LOGS Get-EventLog vs. Get-WinEvent ------------------------------ Get-EventLog only works against the System, Application, and Security logs, and not the new ETL logs (Event Trace Logs) that were introduced with Event Tracing for Windows (ETW) in Windows 7, The most important difference between the two cmdlets is that the Get-WinEvent cmdlet works with the classic event logs that were first introduced in Windows Vista, while the Get-EventLog cmdlet doesn't. Get-WinEvents -ListProvider * (Get-WinEvent -ListProvider TPM).Events Get-EventLog -LogName System Get-EventLog -LogName System -ComputerName Server1 (Get-WinEvent -ListProvider TPM -ComputerName Server1).Events Finding problems on multiple computers --------------------------------------- Get-EventLog -LogName System -ComputerName Server1, Server2, Server3 Get-WinEvent –LogName application Get-WinEvent –LogName application –MaxEvents 10 Get-WinEvent –ListLog * Get-WinEvent –LogName ‘Microsoft-Windows-BitLocker/BitLocker Management’ –MaxEvents 10 Get-WinEvent –ListLog ‘Microsoft-Windows-BitLocker/BitLocker Management’ | Format-List -Property * Get-WinEvent –ListLog ‘Microsoft-Windows-BitLocker/BitLocker Management’ –ComputerName contososrv1 | Format-List -Property * [dateTime]$oneWeekAgo = (get-date).addDays(-7) Get-EventLog -LogName Security -After $oneWeekAgo -computerName . | ? {$_.EventID -eq 41,6005,6006,6008,6009,1074,1076,1074,6006,6005,6008} get-eventlog system -EntryType error,warning -Newest 10 | out-gridview get-eventlog system -source *Hyper-V* -after "10/12/2022" | out-gridview Get-EventLog -Log system | where {$_.entryType -match “Error”} REVIEW ACTIVE DIRECTORY DOMAIN SERVICE EVENTS WITH POWERSHELL: Get-EventLog -List Get-EventLog -Newest 5 -LogName System Get-EventLog -LogName ‘Directory Service’ | fl Get-EventLog -Newest 5 -LogName ‘Directory Service’ Get-EventLog -Newest 5 -LogName ‘Directory Service’ -EntryType Error Get-EventLog -Newest 5 -LogName ‘Directory Service’ -ComputerName ‘REBEL-SRV01’ | fl -Property * Get-EventLog -Newest 5 -LogName ‘Directory Service’ -ComputerName “localhost”,“REBEL-SRV01” Get-EventLog -LogName ‘Directory S Get-EventLog -LogName ‘Directory Service’ | where {$_.eventID -eq 1000} LogName : ------------------ Application HardwareEvents Internet Explorer Key Management Service Security System Windows PowerShell Directory Service -----> on DC - Domain Controller / Active Directory you can run it Show-EventLog -ComputerName "Server01" Get Windows event logs (Application) for last 24 hours using PowerShell --------------------------------------------------------- Get-eventlog -LogName Application -EntryType Error -After (Get-Date).AddDays(-1) | select EventID, TimeGenerated, Message | convertto-html | Out-File C:\Temp\errorlist.htm 4624 An account was successfully logged on. ------------------------------------------- Get-EventLog -Newest 5 -LogName Security -InstanceId 4624 4634 An account was logged off.. ----------------------------------- Get-EventLog -Newest 5 -LogName Security -InstanceId 4634 4625 An account failed to log on.... ------------------------------------- Get-EventLog -Newest 5 -LogName Security Tracking and Analyzing Remote Desktop Connection Logs in Windows ---------------------------------------------------------------- Get-WinEvent -LogName Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Select events from multiple logs at once. For example, if you want to get information about errors and warnings from System and Application logs for the last 24 hours, use the following code: ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $StartDate = (Get-Date) - (New-TimeSpan -Day 1);Get-WinEvent Application,System | Where-Object {($_.LevelDisplayName -eq "Error" -or $_.LevelDisplayName -eq "Warning") -and ($_.TimeCreated -ge $StartDate )} You can use the Select-Object or Format-Table cmdlets to display only specific event fields: ------------------------------------------------------------------------------------------- Get-WinEvent -LogName System | Format-Table Machinename, TimeCreated, Id, UserID The command below can be used if you want to find specific text in the event description: ----------------------------------------------------------------------------------------- Get-WinEvent -FilterHashtable @{logname='System'}|Where {$_.Message -like "*USB*"} Event ID 4624 in the Security event log, An account was successfully logged on: ---------------------------------------------------------------------------- Get-WinEvent -FilterHashtable @{ LogName="Security"; ID=4624 } -MaxEvents 1 export RDP connection logs from the Event Viewer to a CSV file -------------------------------------------------------------- WEVTUtil query-events Security > c:\ps\rdp_security_log.txt Or with PowerShell: get-winevent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | Export-Csv c:\ps\rdp_connection_log.txt -Encoding UTF8 Get-WinEvent -FilterHashtable @{logname='System';id=1074}|ft TimeCreated,Id,Message ID 4624 in the Security event log, An account was successfully logged on: -------------------------------------------------------------------------- Get-WinEvent -FilterHashtable @{ LogName="Security"; ID=4624 } -MaxEvents 1 | Select-Object -Property Message | Format-List Get-WinEvent -FilterHashtable @{ LogName="Security"; ID=4624 } -MaxEvents 1 | Convert-EventLogRecord | Select-Object -Property TargetUserName Get-WinEvent -FilterHashtable @{ LogName="Security"; ID=4624 } | Convert-EventLogRecord | Where-Object -Property TargetUserName -NE 'SYSTEM' | Select-Object TargetUsername, TimeCreated, LogonType How to find a logged-in user remotely using PowerShell : -------------------------------------------------------- Get-WmiObject -Class Win32_ComputerSystem | Select-Object UserName OR Get-WmiObject –ComputerName CLIENT1 –Class Win32_ComputerSystem | Select-Object UserName OR query user /server:$servername Get-WinEvent -FilterHashtable @{ Logname = 'Security' ID = 4624, 4634 StartTime = Get-Date -UFormat "%B %d %T EndTime = 'Get-time' } Get-WinEvent -FilterHashtable @{ Logname = 'Security' ID = 4624, 4634 } –MaxEvents 10 Get-WinEvent -FilterHashtable -Logname Security -InstanceId 4624 –MaxEvents 10Get-WinEvent -FilterHashtable -Logname Security -InstanceId 4624 –MaxEvents 10 Get-EventLog -LogName Application -InstanceId 916 Get-EventLog -Newest 5-LogName ‘Directory Service’ | where {$_.eventID -eq 1000} Write-Host and Write-Output? $computer=read-host "AD1" gwmi win32_computersystem -comp $computer | select USername,Caption,Manufacturer Get-CimInstance -ClassName Win32_WinSAT Get-WinEvent -FilterHashTable @{ LogName = 'Security'; Id=4624,4634,4672,4732,4648,4688,4768 } | Format-List Get-WinEvent -FilterHashtable @{ LogName = 'Security'; Id = 4625 } |Select-Object -Property Source, EventID, InstanceId, Message Get-WinEvent -FilterHashtable @{ LogName="Security"; ID=4624 } -MaxEvents 1 | Format-List Get-WinEvent -FilterHashtable @{ LogName="Security"; ID=4624 } -MaxEvents 1 | Out-GridView | ConvertTo-Html | Out-File pslog.htm Get-WinEvent -FilterHashtable @{ LogName="Security"; ID=4778 } -MaxEvents 1 | Out-GridView -PassThru | -Path C:\temp\ProcessLog.txt Get-WinEvent -FilterHashtable @{logname=’security’; id=4625} Get-EventLog -LogName System -Source Outlook | Where-Object {$_.EventID -eq 4625} |Select-Object -Property Source, EventID, InstanceId, Message Get-WinEvent -LogName Microsoft-Windows-TerminalServices-LocalSessionManager/Operational | Where {$_.Id -eq "21"}| select -ExpandProperty Message -First 1 Get-EventLog -LogName System -InstanceId 21 qwinsta Logon – 4624 Logoff – 4647 Startup – 6005 RDP Session Reconnect – 4778 RDP Session Disconnect – 4779 Locked – 4800 Unlocked – 4801 qwinsta qprocess /id:5 https://woshub.com/how-to-clear-rdp-connections-history/ https://jdhitsolutions.com/blog/powershell/8132/searching-active-directory-logs-with-powershell/ .