The EventLogWatcher module can be used directly from the PowerShell command line. Although, once the PowerShell console/session is closed, all of the registered events are destroyed. An alternative could be to use WMI permanent Events that stay resident after the console is closed.
Unfortunately the Forwarded Events log (and other new EventLogs in 2008 and later) do not write to the Win32_NTLogEvent Class.
Another alternative would be to create a script that includes all of the steps to properly register the necessary EventLogWatcher. Since the module stores a bookmark by default, it will pickup from where it left off the last time the script completed. The script can then be configured to run as a scheduled task at whatever polling interval is required.
Depending on how the given script is written, it may be necessary to add some code in order to keep it "active" long enough to capture events. Once the script has registered the event, it may close if it has nothing left to do. The script would be considered "successful" if all it does is register the object event, and may close before it is able to capture any new events. This can be resolved, by simply giving the script something to do after the event has been registered. One method would be to create a stopwatch object, and then run it for a set period of time. An example of this is provided below:
It would be necessary to either pass $PollSeconds to the script as a parameter, or to set it equal to something prior to executing this code. Technically it would only be necessary to keep the script active long enough for the EventLogWatcher to detect new Events and add then to the queue to be processed. It may take some time to find the proper amount of time.
Yet another alternative would be to call PowerShell with the noexit paramater
- http://blogs.technet.com/b/heyscriptingguy/archive/2010/12/08/use-a-powershell-module-to-work-with-wmi-permanent-events.aspx
- http://blogs.technet.com/b/heyscriptingguy/archive/2010/12/09/use-the-powershell-wmi-event-module-to-quickly-monitor-events.aspx
- http://trevorsullivan.net/2009/11/16/powershell-getting-started-with-wmi-events/
Unfortunately the Forwarded Events log (and other new EventLogs in 2008 and later) do not write to the Win32_NTLogEvent Class.
Another alternative would be to create a script that includes all of the steps to properly register the necessary EventLogWatcher. Since the module stores a bookmark by default, it will pickup from where it left off the last time the script completed. The script can then be configured to run as a scheduled task at whatever polling interval is required.
Depending on how the given script is written, it may be necessary to add some code in order to keep it "active" long enough to capture events. Once the script has registered the event, it may close if it has nothing left to do. The script would be considered "successful" if all it does is register the object event, and may close before it is able to capture any new events. This can be resolved, by simply giving the script something to do after the event has been registered. One method would be to create a stopwatch object, and then run it for a set period of time. An example of this is provided below:
$sw= new-object system.diagnostics.stopwatch $sw.start() while ($sw.elapsed.TotalSeconds -lt$PollSeconds) { $Null } $sw.stop()
It would be necessary to either pass $PollSeconds to the script as a parameter, or to set it equal to something prior to executing this code. Technically it would only be necessary to keep the script active long enough for the EventLogWatcher to detect new Events and add then to the queue to be processed. It may take some time to find the proper amount of time.
Yet another alternative would be to call PowerShell with the noexit paramater
"powershell.exe -noexit &'C:\MyScript.ps1'"Using this approach the console would remain open, so it may be necessary to close the console at some point depending on your requirements.