Wednesday, March 10, 2010

Reading Events

I think most of us are aware of the Get-EventLog cmdlet in v2.0. Personally, I think it is, but the event logs themselves are a bit messy. For example, EventID 4663 "An attempt was made to access an object". One big problem is that their is missing information in the object. Fortunately there is the ReplacementStrings contains all the data from the message that does not show as a value of the event object property.

Confused yet? Here's an example:

EventID            : 4663
MachineName        : xxx.mydomain.local
Data               : {}
Index              : 93068
Category           : (12800)
CategoryNumber     : 12800
EntryType          : SuccessAudit
Message            : An attempt was made to access an object.
                     
                     Subject:
                         Security ID:        S-1-5-xx-xxxxxxxxxx-xxxxxxxxx-xxxx
                     914379-1106
                         Account Name:        johndoe
                         Account Domain:        MYDOMAIN
                         Logon ID:        0x251942
                     
                     Object:
                         Object Server:    Security
                         Object Type:    File
                         Object Name:    C:\Temp\SecuredFolder
                         Handle ID:    0xa18
                     
                     Process Information:
                         Process ID:    0x4
                         Process Name:    
                     
                     Access Request Information:
                         Accesses:    %%1537
                                 
                         Access Mask:    0x10000
Source             : Microsoft-Windows-Security-Auditing
ReplacementStrings : {S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXX, johndoe, M
                     YDOMAIN, 0x251942...}
InstanceId         : 4663
TimeGenerated      : 2/30/2010 12:00:00 PM
TimeWritten        : 2/30/2010 12:00:00 PM
UserName           : 
Site               : 
Container          : 
 
As you can see the UserName property is blank, yet it does show in the the message. Now, look at the data in ReplacementStrings. In this object you'll see the same entry from the line Account Name in the message as the 2nd string, johndoe. Since ReplacementStrings is an object, we'll pull the 2nd entry as [1]. (Remember that the first item in an object is 0). The same is true for the domain. It is set in the 3rd entry [2]. The object accessed is the 7th [6]....so on down the line.

Now, with that information out of the way, lets pull some information.

CODE
get-eventlog security -InstanceId 4663 |
     Select TimeGenerated,ReplacementStrings |
     % {
         New-Object PSObject -Property @{
            TimeGenerated = $_.TimeGenerated
            UserName = $_.ReplacementStrings[2] + "\" + $_.ReplacementStrings[1]
            Object = $_.ReplacementStrings[6]
            Access = $_.ReplacementStrings[8]
        }
     }
 code: copy : expand : collapse


Now when this is run you'll see a formatted output to show as below:



Object                                       TimeGenerated                      UserName
------                                        -------------                          --------
C:\Temp\SecuredFolder            2/30/2010 12:00:00 PM         MYDOMAIN\johndoe


 

Hopefully this helps someone the get information from event logs more efficiently.










From:
Anonymous


at
3:10 PM













 






















0
comments:
        








Post a Comment



















Subscribe to:
Post Comments (Atom)