0

I have PowerShell script that I found on GitHub here. I am trying to export security audit logs that have a specific Event ID rather than exporting all logs to a .csv file. I am new to PowerShell and can't really seem to find any further information on next steps or how I should approach this. I imagine that the change will have to do with the Get-WinEvent -LogName $($EventType) | Export-CSV "$LogOutputCSVFilePath" Line of code, however, i am not sure what the change would be. Any help is appreciated.

My Current Code

# Capture the script start time
$ScriptStartTime = Get-Date

# Set output location for CSV files.
$LogOutputDirectory = 'C:\Users\myuser\Desktop'

# Define Windows event log types to export.
$EventTypesToExport = @('Security')

foreach ($EventType in $EventTypesToExport)
{
    # Build the file path for the current log topic.
    $LogOutputTopic = "Windows Event Log - $EventType"
    $CurrentTimeUTC = Get-Date -Format FileDateTimeUniversal
    $LogOutputFileName = "$CurrentTimeUTC - $LogOutputTopic"
    $LogOutputCSVFilePath = "$LogOutputDirectory\$LogOutputFileName.csv"

    # Create a CSV version of the log data.
    Write-Output "Creating CSV version of Windows event log of type $EventType."
    Write-Output 'Target CSV file path:'
    Write-Output "$LogOutputCSVFilePath"
    Get-WinEvent -LogName $($EventType) | Export-CSV "$LogOutputCSVFilePath"
    Write-Output 'Finished creating CSV file.'
}

# Calculate script run time.
$ScriptEndTime = Get-Date
$ScriptDuration = New-Timespan -Start $ScriptStartTime -End $ScriptEndTime
Write-Output "Log export process execution time: $ScriptDuration"

I am currently operating on Windows 10. Any help is appreciated!

Note: You can view these logs by going to the Event Viewer application on windows, selecting "Windows Logs" and then selecting "Security".

Buzzkillionair
  • 319
  • 3
  • 18

1 Answers1

3

Use the -FilterHashtable parameter with Get-WinEvent:

$filterTable = @{
    LogName    = $EventType
    Id         = 1,2,3,4
    StartTime  = (Get-Date).AddDays(-1)
}
Get-WinEvent -FilterHashtable $filterTable | Export-CSV $LogOutputCSVFilePath

Note: Due to a limitation in the Eventlog service API, you can pass at most 23 unique EventID's in one query, add any more and the event log returns no results.

Mathias R. Jessen
  • 157,619
  • 12
  • 148
  • 206
  • This is great! Would there be a way to make it so it grabs info for the past day? Thank you again for the help! – Buzzkillionair Feb 28 '23 at 16:19
  • 1
    @Buzzkillionair Yes, see updated answer - you can also specify an `EndTime` entry if necessary – Mathias R. Jessen Feb 28 '23 at 16:23
  • Using an array of id's over invoke-command has a further level of annoyance. – js2010 Feb 28 '23 at 16:33
  • Not to bother again, but would there be a way to specify the log on type? According to Microsoft "When event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also listed in the event log. The following table describes each logon type." I am looking to find a specific type @MathiasR.Jessen Also, How do you find the specific name of the event so that it can find the event? – Buzzkillionair Feb 28 '23 at 16:41
  • @js2010 Like I said, I am fairly new and got the base of this from github – Buzzkillionair Feb 28 '23 at 16:47
  • @Buzzkillionair You're welcome to ask another question (or [peruse existing ones](https://stackoverflow.com/questions/48526192/get-winevent-add-parts-of-extended-data-to-scv-columns/48527378#48527378)) :) – Mathias R. Jessen Feb 28 '23 at 17:13
  • Will do shortly! – Buzzkillionair Feb 28 '23 at 17:26