Windows Event Log Management Script event-log-manager.ps1

This script event-log-manager.ps1 provides the ability manage event logs on machines locally or remotely.

 
 
 
 
 
5 Star
(4)
716 times
Add to favorites
Operating System
5/25/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • enable logs exception: New-Object : Exception calling ".ctor" with "2" argument(s): "Attempted to perform an unauthorized operation."
    2 Posts | Last post March 19, 2018
    • Why am I getting this error.  Additional error information:
      + ... $eventLog = New-Object Diagnostics.Eventing.Reader.EventLogConfiguration ($eventLogName, $session)
      +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodInvocationException
          + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
      
      I added before the call Add-Type -AssemblyName System.Core but error still persists.
    • i see this issue in a clean azure environment with machines in a workgroup when accessing remotely.
      you can enable debugging using switch -debugScript.
      check winrm on source machine where script is being run from.
      i enable winrm trustedhosts * on source machine.
      easy test is from source machine to do a dir to remote machine example: dir \\someRemoteMachine\admin$
      
      
          Requirements:
              - administrator powershell prompt
              - administrative access to machine
              - remote network ports:
                  - smb 445
                  - rpc endpoint mapper 135
                  - rpc ephemeral ports
                  - to test access from source machine to remote machine: dir \\%remote machine%\admin$
              - winrm
                  - depending on configuration / security, it may be necessary to modify trustedhosts on 
                  source machine for management of remote machines
                  - to query: winrm get winrm/config
                  - to enable sending credentials to remote machines: winrm set winrm/config/client '@{TrustedHosts="*"}'
                  - to disable sending credentials to remote machines: winrm set winrm/config/client '@{TrustedHosts=""}'
  • How can I modify this script to look at the security logs for a specific list of events?
    4 Posts | Last post March 14, 2018
    • I have a need to read the security logs in real time.  How can I modify this script to look at the security logs for a specific list of events?
    • to listen to security event log real time searching for any event that has the word 'token' in it:
      .\event-log-manager.ps1 -eventLogNamePattern "^security" -listen -eventTracePattern "token"
      
      to listen to security event log real time searching for event ids 4688 and 4689
      .\event-log-manager.ps1 -eventLogNamePattern "^security" -eventLogIds 4688,4689 -listen
      
      does that answer your question?
    • Yes, this answer the question
    • Yes, perfectly.  I did test to replace all instances of $rds with $security and changing the $rdspattern to $securityPattern = "^Security$".  This seems to work as well.