My parallel technique involves comparing what you see in the Event Viewer,
with the output of PowerShell commands to filter for particular log
messages.
Launch the Windows 8 Event Viewer
To get started with the Event Viewer press Winkey +w, this launches the Search box
with the focus on Settings.
Now type: "ev" you should see 'View event logs'.
Once the Event Viewer has initialized if you expand 'Windows logs' you can
see 'Security'.
From the Metro UI, if you start typing: 'Pow' then you should see the 2
PowerShell Apps, choose the ISE version. There are two cmdlets
Get-EventViewer and Get-WinEvent, in each case you need -LogName to specify
the log you want to view.
Note 1: The parameter -MaxEvents 10 is to speed up the
command if you have a huge log and you just want to get the command
working before you put it to real work.
Get-Eventlog Alternatively, you can use Get-Eventlog
cmdlet with its -Newest parameter. This is an old-fashioned, but
easier to use cmdlet.
Guy Recommends: SolarWinds' Log & Event Management Tool
LEM will alert you to problems such as when a key
application on a particular server is unavailable. It can also
detect when services have stopped, or if there is a
network latency problem. Perhaps this log and event management
tool's most interesting ability is to take corrective action, for
example by
restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people
use LEM is for its
compliance capability, with a little help from you, it will ensure that your organization complies with industry
standards such as CISP or FERPA. LEM is a really smart
application that can make correlations between data in different logs,
then use its built-in logic to take corrective action, to restart services,
or thwart potential security breaches.
Orientation: You are in the Event Viewer, you pre-select the Security
log. Now, go to the Actions pane to the right and click on 'Filter
Current Log'.
Here is where you put on your thinking hat, and experiment with each
setting: my choices were: Event sources Microsoft Windows security
settings Task category Logon, Logoff.
Typical Microsoft, there are at least 3 ways of employing PowerShell to
filter the logs. My favourite, especially for learning is to pipe the
output of Get-Eventlog into a where statement.
Note 2: It may be clearer if you bolt on a Format-Table
command. This enables you to choose the output columns, for example: |
Format-Table EventID, Message -auto
Note 3: Windows Event ID 4624 means a user logged-on (and 4634
would record a logoff).
Note 4: The conditional operator -match may be better
than -eq. Especially for messages, e.g. Where-Object {$_.message
-match 'Key File'}
-FilterHashTable with Get-WinEvent
If you call for Help then you can confirm that Get-WinEvent has a
-FilterHashTable parameter, whereas Get-Eventlog does not. While the example
below filters on just two properties, it would be easy to add more criteria
such as ProviderName.
Note 5: The syntax is a little tricky; a) There is no
hyphen before the parameter. b) The key-value pairs are joined by the = (equals sign) and not
PowerShell's -eq. Also remember the overall format
@{Filter="criteria"}
Note 6: You can also filter on ProviderName="*Auditing".
For this property you can employ the famous * wild card. Indeed you
could book-end wild cards thus: "*sched*. I discovered this when
searching for Scheduled events in the Application log.
»
Summary of Windows 8
Security Event Logs
This page employs my technique of comparing what you see in the Event
Viewer, with the output of PowerShell commands. Our vehicle was the
Security logs and our method included filtering with the Action pane, and
mastering PowerShell's -FilterHashtable parameter.
If you like this page then please share it with your friends
