Accessing Remote Security Event Log Information with Windows PowerShell, II

An interesting problem is to access the Security Log portion of a System Event Log on a remote machine using Windows PowerShell. The intrinsic get-event Windows PowerShell cmdlet only works on a local machine. The intrinsic get-wmiobject cmdlet with a "win32_ntlogevent" argument can access most types of log files (Application and System in particular) on a remote machine but not the Security log file. So, if you want remote security events you can directly or indirectly call .NET Framework methods. The screenshot below shows the basic ideas of one approach. The first command creates a new ConnectionOptions object. This is really a preliminary step. The second command shows that by default, I do not have elevated privileges to connect to a remote security log file. So, in my third command I enable those privileges. I could also have specified a different user and password if necessary at this stage. My fourth command creates a new ManagementScope object to a remote machine (named vte020) using elevated privileges. My fifth command establishes a connection to the remote machine using the connect() method. The sixth command creates a SQL-like query to fetch all information from all log files in the remote Event Log. In practice you would usually filter at this point with a "WHERE" rather than later as I do in this demo. My seventh command creates a ManagmentObjectSearcher using the query I just created. My eighth command retrieves the entire Event Log using the get() method. The remaining commands successively filter down to just the Security event log, then just security events of type "audit success", and then just the first event in that collection. I finish by displaying the Message property of the first audit success event in the security log.
This entry was posted in Software Test Automation. Bookmark the permalink.

One Response to Accessing Remote Security Event Log Information with Windows PowerShell, II

  1. James says:

    A couple people said the screenshot image was difficult to read and asked for the commands in regular text form. Here they are:
    PS C:\\> $co = new-object Management.ConnectionOptionsPS C:\\> $co.enableprivilegesFalsePS C:\\> $co.enableprivileges = $truePS C:\\> $ms = new-object Management.ManagementScope("\\\\vte020\\root\\cimv2", $co)PS C:\\> $ms.connect()PS C:\\> $q = new-object Management.ObjectQuery("select * from win32_ntlogevent")PS C:\\> $mos = new-object Management.ManagementObjectSearcher($ms, $q)PS C:\\> $entireLog = $mos.get()PS C:\\> $secLog = $entireLog | where-object { $_.logfile -eq "Security" }PS C:\\> $auditSuccesses = $secLog | where-object { $_.type -eq "audit success" }PS C:\\> $firstAuditSuccess = $auditSuccesses[0]PS C:\\> $firstAuditSuccess.message

Comments are closed.