2

I am new in Powershell. I am trying to get information for several event IDS regarding account management audit. I know that the script I wrote it's not efficient enough but I dont think it's the issue here. For some reason I don't get the output for event ID 4781 even though I have generated some events and they are shown in EventViewer. For event IDs like 4720,4726,4722 etc I am able to log them normally in an output file, using the same script. Anyone has any clue why?

Currently I am getting Output: Action:User Created Time:31-08-2018 2:55 Who:administrator User:test2

$events = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$e.EventID -eq 4781 -or $e.EventID -eq 4720}
$ActivityOutput=foreach ($e in $events) {
if (($e.EventID -eq 4720)){
Write-Output "Action:User Created","Time:$($e.TimeGenerated.ToString("dd-MM-yyyy h:mm"))","Who:$($e.ReplacementStrings[4])","User:$($e.ReplacementStrings[0])"
Write-Output "===============================================`n"
} 
if (($e.EventID -eq 4781)){
Write-Output "The name of an Object changed", "Time:$($e.TimeGenerated.ToString("dd-MM-yyyy  h:mm"))", "Who:$($e.ReplacementStrings[5])","Old Value:$($e.ReplacementStrings[0])","New Value:$($e.ReplacementStrings[1])"
Write-Output "===============================================`n"
}
} Out-File -Append -FilePath C:\UserTracking.txt  -InputObject $ActivityOutput

========= UPDATE 04/09/2018 So it seems that Get-EventLog fetces only some of the EventIDs, this is why I was missing some of them like 4781. I converted to Get-WinEvent and seems that this one fetches all desired EventIDs. Edited Code:

$events=Get-WinEvent -FilterHashtable @{Logname="Security"; StartTime=(get-date).AddDays(-6); ID=4781,4738,4725,4728,4729,4720,4726,4722,4740}
}
  $ActivityOutput=foreach ($e in $events) {
   # user account was created
    if (($e.Id -eq 4720)){
      Write-Output "Action:User Created","Time:$($e.TimeCreated.ToString("dd-MM-yyyy h:mm"))",***"Who:$($e.?)","User:$($e.?)"***
    }

Now, any help on how to fetch info like Who made the change and on which user, using the Write-Output as it seems above?

Polina Antoniou
  • 21
  • 4

2 Answers2

0

You seem to be missing a return before the Out-File. Not sure if that was a typo in the paste or not.

One thing to do to verify if you're actually getting any matches is to just run $events | ?{$_.EventID -eq 4781}. You'll get all the results printed to screen. If you see that there aren't any it could be that you haven't had any logs with EventID 4781.

Gilbert Sanchez
  • 31
  • 4
  • Hi, thanks for your reply. the out-file seems to be working fine as I am getting results for other Event IDs. I ran the command you suggested and I get no results. – Polina Antoniou Sep 03 '18 at 06:05
  • But am running this and it seems that there are such events : Get-EventLog -LogName Security -InstanceId 4781 --> ...95966 Aug 31 14:58 SuccessA... Microsoft-Windows... 4781 The name of an account was changed:... – Polina Antoniou Sep 03 '18 at 06:10
0

in general I shouldn't use the "Get-EventLog" but the "Get-WinEvent".The values for each eventID can be fetched using the $_.Properties[...]

So, ended up with the draft code below, which I will repeat for all the desired EventIDs since I need different values for each one

$EventID=4781,4738,4725,4728,4729,4720,4726,4722,4740
$events=Get-WinEvent -FilterHashtable @{Logname="Security"; StartTime=(get-date).AddDays(-6); ID=EventID}
}
  $ActivityOutput=foreach ($e in $events) {
    if (($e.Id -eq 4720)){
      Write-Output "Action:User Created","Time:$($e.TimeCreated.ToString("dd-MM-yyyy h:mm"))","Who:"$e.Properties[4],"User:"$e.Properties[0]
      Write-Output "===============================================`n"
    }
Polina Antoniou
  • 21
  • 4