Windows 8 Security Log

Windows 8 Event Viewer Security LogWindows 8 Security Log Event Viewer

This page combines three skills, finding events in the Security Log, learning PowerShell and understanding logon events.

Windows 8 Security Log Topics

 ♦

Getting Started – Finding the Windows 8 Security Log

My parallel technique involves comparing what you see in the Event Viewer, with the output of PowerShell commands to filter for particular log messages.

Launch the Windows 8 Event ViewerWindows 8 Event Viewer Settings
To get started with the Event Viewer press Winkey +w, this launches the Search box with the focus on Settings.  Now type: "ev" you should see ‘View event logs’.

Once the Event Viewer has initialized if you expand ‘Windows logs’ you can see ‘Security’.

Windows 8 Event Viewer Security

Parallel Technique: List the Last 10 Security Events with PowerShell

From the Metro UI, if you start typing: ‘Pow’ then you should see the 2 PowerShell Apps, choose the ISE version.  There are two cmdlets Get-EventViewer and Get-WinEvent, in each case you need -LogName to specify the log you want to view. 

Get-WinEvent

# PowerShell Windows 8 Security Event Logs
Get-WinEvent -LogName Security -MaxEvents 10

Note 1: The parameter -MaxEvents 10 is to speed up the command if you have a huge log and you just want to get the command working before you put it to real work.

Get-Eventlog
Alternatively, you can use Get-Eventlog cmdlet with its -Newest parameter.  This is an old-fashioned, but easier to use cmdlet.

Clear-host
Get-Eventlog -LogName Security -Newest 20

List all the Event Logs

Clear-host
Get-WinEvent -ListLog * | Ft LogName, RecordCount -auto

Help Further PowerShell Research

#Pure Research – PowerShell Precede with Help
Clear-host
Help Get-WinEvent

Check available properties with GM (Get-Member)

#Pure Research – PowerShell Append Get-Member
Clear-host
Get-Eventlog Security -newest 10 | Get-Member

Guy Recommends:  SolarWinds’ Log & Event Management ToolSolarwinds Log and Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

Filtering Events within the Event Viewer GUIEvent Log Management tool

Orientation: You are in the Event Viewer, you pre-select the Security log.  Now, go to the Actions pane to the right and click on ‘Filter Current Log’.

Here is where you put on your thinking hat, and experiment with each setting: my choices were:
Event sources Microsoft Windows security settings
Task category Logon, Logoff.

Windows 8 Event Viewer Security

Filtering Windows Security Events with PowerShell

Typical Microsoft, there are at least 3 ways of employing PowerShell to filter the logs.  My favourite, especially for learning is to pipe the output of Get-Eventlog into a where statement.

#Pure Research – PowerShell Where-Object Filtering
Clear-host
Get-Eventlog Security -Newest 100 | Where-Object {$_.EventID -eq ‘4624’}

Note 2: It may be clearer if you bolt on a Format-Table command.  This enables you to choose the output columns, for example: | Format-Table EventID, Message -auto

Note 3: Windows Event ID 4624 means a user logged-on (and 4634 would record a logoff).

Note 4: The conditional operator -match may be better than -eq.  Especially for messages, e.g. Where-Object {$_.message -match ‘Key File’}

-FilterHashTable with Get-WinEvent

If you call for Help then you can confirm that Get-WinEvent has a -FilterHashTable parameter, whereas Get-Eventlog does not. While the example below filters on just two properties, it would be easy to add more criteria such as ProviderName.

Clear-Host
Get-WinEvent -MaxEvents 100 -FilterHashtable @{Logname="Security"; ID="4624"}

Note 5: The syntax is a little tricky; a) There is no hyphen before the parameter.  b) The key-value pairs are joined by the = (equals sign) and not PowerShell’s -eq.  Also remember the overall format @{Filter="criteria"}

Note 6: You can also filter on ProviderName="*Auditing".  For this property you can employ the famous * wild card.  Indeed you could book-end wild cards thus: "*sched*.  I discovered this when searching for Scheduled events in the Application log.

Summary of Windows 8 Security Event Logs

This page employs my technique of comparing what you see in the Event Viewer, with the output of PowerShell commands.  Our vehicle was the Security logs and our method included filtering with the Action pane, and mastering PowerShell’s -FilterHashtable parameter.

If you like this page then please share it with your friends

 


Microsoft Windows 8 Configuration Topics

Windows 8 Run Command  • Windows 8 Virtual Keyboard  • Windows 8 Lock Screen  • Engineers Tookit

Windows 8 Sound Problems  • Windows 8 Security Event Log  • Windows 8 Experience Index

Windows 8 Config   • Windows 8 Homegroup  • Windows 8 Event Viewer  • Windows 8 Task Scheduler