Windows 8 Event Viewer Security Log
This page combines three skills, finding events in the Security Log, learning PowerShell and understanding logon events.
Windows 8 Security Log Topics
- Finding the Windows 8 Security Log
- List the Last 10 Security Events with PowerShell
- Filtering Events within Event Viewer
- Filtering Windows Security Events with PowerShell
♦
Getting Started – Finding the Windows 8 Security Log
My parallel technique involves comparing what you see in the Event Viewer, with the output of PowerShell commands to filter for particular log messages.
Launch the Windows 8 Event Viewer
To get started with the Event Viewer press Winkey +w, this launches the Search box with the focus on Settings. Now type: "ev" you should see ‘View event logs’.
Once the Event Viewer has initialized if you expand ‘Windows logs’ you can see ‘Security’.
Parallel Technique: List the Last 10 Security Events with PowerShell
From the Metro UI, if you start typing: ‘Pow’ then you should see the 2 PowerShell Apps, choose the ISE version. There are two cmdlets Get-EventViewer and Get-WinEvent, in each case you need -LogName to specify the log you want to view.
Get-WinEvent
# PowerShell Windows 8 Security Event Logs
Get-WinEvent -LogName Security -MaxEvents 10
Note 1: The parameter -MaxEvents 10 is to speed up the command if you have a huge log and you just want to get the command working before you put it to real work.
Get-Eventlog
Alternatively, you can use Get-Eventlog cmdlet with its -Newest parameter. This is an old-fashioned, but easier to use cmdlet.
Clear-host
Get-Eventlog -LogName Security -Newest 20
List all the Event Logs
Clear-host
Get-WinEvent -ListLog * | Ft LogName, RecordCount -auto
Help Further PowerShell Research
#Pure Research – PowerShell Precede with Help
Clear-host
Help Get-WinEvent
Check available properties with GM (Get-Member)
#Pure Research – PowerShell Append Get-Member
Clear-host
Get-Eventlog Security -newest 10 | Get-Member
Guy Recommends: SolarWinds’ Log & Event Management Tool
LEM will alert you to problems such as when a key application on a particular server is unavailable. It can also detect when services have stopped, or if there is a network latency problem. Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA. LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.
Download your FREE trial of SolarWinds Log & Event Management tool.
Filtering Events within the Event Viewer GUI
Orientation: You are in the Event Viewer, you pre-select the Security log. Now, go to the Actions pane to the right and click on ‘Filter Current Log’.
Here is where you put on your thinking hat, and experiment with each setting: my choices were:
Event sources Microsoft Windows security settings
Task category Logon, Logoff.
Filtering Windows Security Events with PowerShell
Typical Microsoft, there are at least 3 ways of employing PowerShell to filter the logs. My favourite, especially for learning is to pipe the output of Get-Eventlog into a where statement.
#Pure Research – PowerShell Where-Object Filtering
Clear-host
Get-Eventlog Security -Newest 100 | Where-Object {$_.EventID -eq ‘4624’}
Note 2: It may be clearer if you bolt on a Format-Table command. This enables you to choose the output columns, for example: | Format-Table EventID, Message -auto
Note 3: Windows Event ID 4624 means a user logged-on (and 4634 would record a logoff).
Note 4: The conditional operator -match may be better than -eq. Especially for messages, e.g. Where-Object {$_.message -match ‘Key File’}
-FilterHashTable with Get-WinEvent
If you call for Help then you can confirm that Get-WinEvent has a -FilterHashTable parameter, whereas Get-Eventlog does not. While the example below filters on just two properties, it would be easy to add more criteria such as ProviderName.
Clear-Host
Get-WinEvent -MaxEvents 100 -FilterHashtable @{Logname="Security"; ID="4624"}
Note 5: The syntax is a little tricky; a) There is no hyphen before the parameter. b) The key-value pairs are joined by the = (equals sign) and not PowerShell’s -eq. Also remember the overall format @{Filter="criteria"}
Note 6: You can also filter on ProviderName="*Auditing". For this property you can employ the famous * wild card. Indeed you could book-end wild cards thus: "*sched*. I discovered this when searching for Scheduled events in the Application log.
Summary of Windows 8 Security Event Logs
This page employs my technique of comparing what you see in the Event Viewer, with the output of PowerShell commands. Our vehicle was the Security logs and our method included filtering with the Action pane, and mastering PowerShell’s -FilterHashtable parameter.
If you like this page then please share it with your friends
Microsoft Windows 8 Configuration Topics
• Windows 8 Run Command • Windows 8 Virtual Keyboard • Windows 8 Lock Screen • Engineers Tookit
• Windows 8 Sound Problems • Windows 8 Security Event Log • Windows 8 Experience Index
• Windows 8 Config • Windows 8 Homegroup • Windows 8 Event Viewer • Windows 8 Task Scheduler