Home > Powershell > Using the Get-Eventlog Cmdlet

Using the Get-Eventlog Cmdlet

Let’s examine how to use Powershell to look through the security log for suspicious events, specifically those related to clearing the log as well as  unsuccessful logon attempts.  Powershell offers the get-eventlog cmdlet for viewing event logs.  In order to get a better idea of what the get-eventlog cmdlet can do lets use get-help.

get-help get-eventlog

 The get-help cmdlet provides jus the basic parameters available for any given cmdlet.  We can get even more information if we use the -full option.  This would provide all the available paramters  as well as working examples.  Let’s try using just the -examples parameter.

get-help get-eventlog -examples

 The first example displays information about which event logs are available on the computer using the -list option.  Our original goal was to examine the security log but let’s see what other logs are available on this computer.  This might indicate why someone was trying to access it in the first place.

get-eventlog -list

From the above list it doesn’t appear that there are any additional roles or services running on this server but that doesn’t mean it’s not a target for malicious behaviour.  Let’s take a look at the security log and see what events have occured.

get-eventlog security

The following event ID’s are suspicious:

  • 1102 – The audit log was cleared
  • 4625 – An account failed to log on

Event logs commonly contain tens of thousands of event log entries.  Since we already know which events were looking to examine let’s format the security log based on event id and how many times each event has occured.

get-eventlog security | group-object eventid

 We can take this one step further by grouping event id’s in numerical order.

get-eventlog security | group-object eventid | sort-object name

Although it’s possible to also use the gui event viewer utility to parse through the logs it’s always best to familiarize yourself with a command line alternative.  In this case we used Powershell but it’s also possible to use the wevtutil command line utility, which is just as powerful. Try using the following wevtutil commands.

  • wevtutil el (full list of all event logs)
  • wevtutil gl security (info on the security log)
  • wevtutil epl security c:\security.evtx (exports the security log)
  • wevtutil cl security /bu:c:\security.evt (backs up the log and then clears it)

References:

Using the Get-Eventlog cmdlet

Using WEVUTIL to examine logs

Advertisements
Categories: Powershell
  1. May 14, 2010 at 3:12 pm

    Nice job on this writeup Joe! Its always useful to be able to get this kind of information. Whats another good thing is to forward eventlogs to a central collector this way if someone does delete this information you still have a backup.

    • joeroc
      May 17, 2010 at 12:47 am

      Windows provides a new “Subscription” service where specific log events, or whole logs, can be forwarded to a central server (or workstation) to do just that. It uses the WS-Management protocol used by Powershell to do remote management.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: