Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, February 5, 2015 9:41 PM
I'm trying to read the last 7 days of relevant Security log entries on one of my DCs and I'm getting the following error. Is there a way to accommodate all the data that's being returned? I don't explicitly declare $eventlog as a particular variable type.
Clear-Variable -name eventlog
+ CategoryInfo : ObjectNotFound: (eventlog:String) [Clear-Variable], ItemNotFoundException
+ FullyQualifiedErrorId : VariableNotFound,Microsoft.PowerShell.Commands.ClearVariableCommand
Get-EventLog : Log "Security" could not be read to completion due to the following error. This may have occurred because the log was cleared while still being read. Index 81445 is out of
bounds.
At D:\tsg\Documentation\Powershell Repository\adaudit.ps1:163 char:13
- $eventlog = Get-EventLog -LogName ‘Security’ -ComputerName $domaincontroller -In ...
-
+ CategoryInfo : ReadError: (:) [Get-EventLog], ArgumentException
+ FullyQualifiedErrorId : LogReadError,Microsoft.PowerShell.Commands.GetEventLogCommand
Get-EventLog : No matches found
At D:\tsg\Documentation\Powershell Repository\adaudit.ps1:163 char:13
- $eventlog = Get-EventLog -LogName ‘Security’ -ComputerName $domaincontroller -In ...
-
+ CategoryInfo : ObjectNotFound: (:) [Get-EventLog], ArgumentException
+ FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand
...and here's a snippet of the relevant code:
foreach ($domaincontroller in $domaincontrollers){
Clear-Variable -name eventlog
#517,624,626,630,632,633,634,636,637,642,644,660,661,671
$eventlog = Get-EventLog -LogName ‘Security’ -ComputerName $domaincontroller -InstanceId 1102,4720,4722,4726,4728,4729,4730,4732,4733,4738,4740,4756,4757,4767 -After ((Get-Date).AddDays(-7)) | select TimeGenerated,InstanceID,Message
# Members added to Domain Local Groups
$MyReport += Get-CustomHeader "1" "Members added to Domain Local Groups on domain controller $domaincontroller"
$MyReport += Get-HTMLTable ($eventlog | Where-Object {$_.InstanceID -eq "4732"} | select TimeGenerated,Message )
$MyReport += Get-CustomHeaderClose
$MyReport += Get-CustomHeader0Close
$MyReport += Get-CustomHTMLClose
Thanks in advance,
Greg
All replies (7)
Tuesday, February 10, 2015 7:38 PM ✅Answered | 1 vote
I ended up re-rewriting the get-eventlog line and I used the get-winevent statement with a hashtable filter instead. The processing time went from 647seconds to 4seconds against 1 DC with the new code. Additionally, the error about the Index bounds disappeared:
$days=((Get-Date).AddDays(-7))
foreach($domaincontrollerin$domaincontrollers){
$eventlog = Get-WinEvent -ComputerName $domaincontroller -FilterHashtable@{Logname='Security'; ID=@(1102,4720,4722,4726,4728,4729,4730,4732,4733,4738,4740,4756,4757,4767); StartTime=$days}| select TimeCreated,ID,Message
#do formatting stuff here
}
Thursday, February 5, 2015 10:21 PM
You didn't post your script and that stuff is impossible to read.
¯\(ツ)_/¯
Thursday, February 5, 2015 10:28 PM
This will help push you in the right direction:
$after=[DateTime]::Today.AddDays(-7)
foreach ($domaincontroller in $domaincontrollers){
if($eventlog=Get-EventLog -LogName ‘Security’ -ComputerName $domaincontroller -InstanceId 4732 -After $after -ea 0){
$MyReport += Get-CustomHeader "1" "Members added to Domain Local Groups on domain controller $domaincontroller"
$MyReport += Get-HTMLTable ($eventlog | select TimeGenerated,Message )
$MyReport += Get-CustomHeaderClose
}
}
$MyReport += Get-CustomHeader0Close
$MyReport += Get-CustomHTMLClose
¯\(ツ)_/¯
Tuesday, February 10, 2015 7:33 PM
Hi jrv,
The only part of what I posted that should be relevant is the line causing the error:
$eventlog = Get-EventLog -LogName ‘Security’ -ComputerName $domaincontroller -InstanceId 1102,4720,4722,4726,4728,4729,4730,4732,4733,4738,4740,4756,4757,4767 -After ((Get-Date).AddDays(-7)) | select TimeGenerated,InstanceID,Message
The other snippet of code was to give people an idea of how I'm handling the result.
Tuesday, February 10, 2015 7:35 PM
Hi Jrv,
Other than adding a variable for the search period (and cleaning up the formatting), I'm not sure what you've done to my code to push me in the right direction and overcome the error (Index 81445 is out of
bounds.). I'd like to understand what you've changed/improved and I'd appreciate your comments :)
Tuesday, February 10, 2015 7:50 PM
I will keep trying. Eventually you will see why.
$filter=@{
Logname='Security'
ID=@(1102,4720,4722,4726,4728,4729,4730,4732,4733,4738,4740,4756,4757,4767)
StartTime=[datetime]::Today.AddDays(-7)
}
$domaincontrollers |
ForEach-Object{
Get-WinEvent -ComputerName $_ -FilterHashtable $filter
} |
select TimeCreated,ID,Message |
Format-Table -auto
# do formatting or exporting stuff here
¯\(ツ)_/¯
Tuesday, February 10, 2015 7:54 PM
If you were just trying to save the retrieved values then we would do it this way for performance and reliability reasons.
$filter=@{
Logname='Security'
ID=@(1102,4720,4722,4726,4728,4729,4730,4732,4733,4738,4740,4756,4757,4767)
StartTime=[datetime]::Today.AddDays(-7)
}
$events=$domaincontrollers |
ForEach-Object{
Get-WinEvent -ComputerName $_ -FilterHashtable $filter
} |
select TimeCreated,ID,Message
# do formatting or exporting stuff here
$events|Format-Table -auto
It is more effective and efficient to use the pipeline to accumulate.
¯\(ツ)_/¯