Filter Event Log on Message string using PowerShell

I recently had the need to look for a very specific string out of the Message portion of the Security Event Logs.  Since you cannot filter events by only a portion of the Message section. (I actually had 4 different strings to search on) I came up with the below PowerShell script. I have changed it to be more generic and universal for everyone to easily use it.

###################################################
## Version 1.2
## PowerShell Script that collects eventlogs of specific ID. It then filters on date range
## and specified string within the Message portion of the event.
## It then outputs to HTML file, if you would rather a TXT file, you can uncomment the
## listed command below and comment out the ConvertTo-HTML.
##
##
## Author: Josh Ancel
## Date Written: 8/27/2013
##
##
###################################################

## Reads where the user would like to store the system.
Write-Host “Enter the path and file name where you would like to store the information.”
$fileLocation = Read-Host “Note!- File is HTML format. Example: C:\Temp\events.html ”

## Reads the event log that they want to serch.
$EventLog = Read-Host “Enter Event Log that you would like to seach. Example: Application or Security”

## Reads EventID’s from user
$EventID = Read-Host “Enter the EventID you would lilke to filter on. Example: 22222 ”

## Collect Date Range from user
$StartDate = Read-Host “Enter Start Date in format MM/DD/YYYY”
$EndDate = Read-Host “Enter End Date in format MM/DD/YYYY”

## Reads Message Filter from user. Wildcards can be used at start and end of string. If you need to mismatch the wildcards edit scritp to include additonal variables.
Write-Host “Please provide the string that you would like to filter on.”
Write-Host “Wild cards can only be accepted at start and end of string. If you need multiples you will neeed edit PowerShell Script.”
$MessageFilter = Read-Host ” Example: *Failed* ”
##Collect specified events, filter on date range, and filter for specific Message string
$SmartAudit = get-eventlog -logname security -After $StartDate -Before $EndDate | where-object {$EventID -contains $_.eventid -and $_.message -like $MessageFilter}

#Writes to file HTML File

$SmartAudit | ConvertTo-Html | Set-Content $fileLocation
Write-Host “Total number of matching events found = ” $LincAudit.count
Write-Host “Completed your file is ready for you to view in ” $fileLocation

##If you want to write to clear text use this command instead of the ConverTo-HTML
#$SmartAudit | FL | out-file $fileLocation

#EOF

Good luck!

Advertisements

~ by Josh on August 27, 2013.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: