This function is great for (almost) live monitoring of important events (user lockout, hdd error, clearing of log,...). It watches given logs and if it detects given event id, it will send it through pipe to console. So you can just let it print or send it to forech-object and do whatever you like with it as you can see in example bellow)

For example it can be used to send email alerts for different important events (expecially it is good with combination with event forwarding)

What it will be looking for is defined in parameter eventToSearch which accepts specially formated string/s which has to contain:log name, ids of events or provider name delimited with semicolon (for example "security;4672,4624,4798")

Please be noted that searching isnt realtime. It has some delay and is it by desing.

 

EXAMPLE

 

# 4724 = account_password_reset
# 4720 = user_account_created
$eventToSearch = "forwardedEvents; 4724, 4720"
Watch-EventLog -eventToSearch $eventToSearch -sleep 30 -stopAfter 24 | % {
 $evnt = $_
 switch ($evnt.id) {
 4724 {
 $what = $evnt.properties.value[0]
 $who = $evnt.properties.value[4]
 write-warning "User $who reset password of account $what
 }
 
 4720 {write-warning "user account was created}
 }
}
More functions are available on my github https://github.com/ztrhgf/useful_powershell_functions