How to collect Security Event Logs for a single category via Powershell

active-directory powershell windows-event-log windows-server-2003-r2

10,619

It's not that Get-EventLog doesn't get the Task Category, it's just that it's not the default behavior of the Cmdlet to display it. But the data is still there.

Import-Module ActiveDirectory
foreach($server in Get-ADComputer -Filter *)
{
    Get-EventLog -LogName Security -ComputerName $server | ? { $_.CategoryNumber -EQ 12544 }
}

This is further complicated by the fact that the Task Categories are actually in numerical format - Event Viewer uses CategoryMessageFiles to translate the category numbers into category names.

You can find the location of the CategoryMessageFiles in the registry, at HKLM\System\CurrentControlSet\services\eventlog\Security\Security (there's a subkey for each event log.)

The reason it's done this way is to make it easy for developers to create their own event logs and their own task categories for their own applications.

Here's some developer documentation on how to get CategoryMessage strings, but I know you don't want to go through all that, so the next best thing would just be to find examples of the kind of events that you want to filter for, figure out their category numbers, and then do a Switch($_.CategoryNumber) on them to translate them into what ever strings you like.

Edit: Actually scratch all that. Ignore everything I just said. This should serve you much better:

Get-WMIObject -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security'" | Select EventCode, CategoryString

10,619

Darktux

Updated on September 18, 2022

Comments

Darktux over 1 year

I am trying to write a script which collects security log from all of our domain controllers hourly and stores them remotely; i can collect the security logs , but is there a way to collect the security logs by category or event number from the DC? please do let me know if any additional questions.

My Code:

$Eventlogs = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $computer
Foreach($log in $EventLogs)
 {
        if($Log.LogFileName -eq "Security")
        {
            $Now = [DateTime]::Now
            $FileName = "Security" +"_"+$Now.Month+$Now.Day+$Now.Year+"_"+$Now.Hour+$Now.Minute+$Now.Second
            $path = "\\{0}\c$\LogFolder\$folder\$FileName.evt" -f $Computer
            $ErrBackup = ($log.BackupEventLog($path)).ReturnValue
            if($clear)
            { 
                if($ErrBackup -ne 0)
                {
                    "Backup failed" 
                    "Backup Error was " + $ErrBackup
                }
            }

        }
    }
         Copy-EventLogsToArchive -path $path -Folder $Folder 
}

MooseBalm over 10 years

Instead of scanning all of the logs, why don't you just start with Get-EventLog -LogName Security?
Darktux over 10 years

@MooseBalm "Get-EventLog -LogName Security" is Skipping "Task Category" in the output, we need that.

Darktux over 10 years

Excellent, thank you sounds about right. Do you know which key or policy defines the event log size on the server? our event logs are being overwritten within a hr, want to make them stick atleast for 3-5 hrs.
Ryan Ries over 10 years

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\{LogName}\Ma‌xSize It's a DWORD. It seems possible a reboot may be required for changes made here to take effect; not sure.
Darktux over 10 years

Its set to Hexadecimal 1400000 , how can i translate it to MB?
Ryan Ries over 10 years

With Calculator.exe in Programmer mode... comes with Windows.
Darktux over 10 years

Sure, i will try your suggestions, our effort is to achieve passive backups for now and store them , so that if something happens in future we can come back and dig through.