Basic Example 1
This example uses the functions in the module to create register an EventRecordWritten Event for any new Windows Event Log events written to the Security Log. The action taken in this example, is to output details about the event using Write-Host. The information could instead be written to a log file, or even parsed using $EventRecordXML and stored in SQL.The last Security Log event to be processed will be bookmarked by default in ".\bookmark.stream" This can be used later to restart the log from where it left off, as will be shown in Example 2.
Unless the query for the EventQuery is modified, this example will process all events in the log. This will start from the first event in the log, and run until the most current event has been processed. The EventWatcher will continue to raise EventRecordWritten Events, until it is disabled, disposed, or the event is unregistered using Unregister-Event.
The monitoring will also stop when the current console is closed. This includes the completion of a script running as a scheduled task. In other words, the monitoring (or watching) will only occur for as long as the PowerShell scope it was created in exists.
$EventLogQuery= New-EventLogQuery "Security"$EventLogWatcher= New-EventLogWatcher $EventLogQuery$action= { write-host ("[ {0:g} ] Found Event {1} from {2} @ {3:g} "-f $Event.TimeGenerated,$EventRecord.RecordID,$EventRecord.Machinename,$EventRecord.TimeCreated) } Register-EventRecordWrittenEvent $EventLogWatcher-action $action$EventLogWatcher.Enabled =$True
Basic Example 2
This example is a continuation from Example 1, but instead attempts to resume processing of events from where the first example ended. The first step is to read in an EventBookmark using Get-BookmarkToStartFrom. The example will attempt to read from the default location of ".\bookmark.stream", as no alternate $StreamPath is passed to Get-BookmarkToStartFrom.The method shown in Example 2 can always be used, as the EventBookmark will return a NULL value if it does not exist. This will cause the EventWatcher to start from the first event found in the EventQuery. By default this will be the first event in the log.
$BookmarkToStartFrom= Get-BookmarkToStartFrom $EventLogQuery= New-EventLogQuery "Security"$EventLogWatcher= New-EventLogWatcher $EventLogQuery$BookmarkToStartFrom$action= { write-host ("[ {0:g} ] Found Event {1} from {2} @ {3:g} "-f $Event.TimeGenerated,$EventRecord.RecordID,$EventRecord.Machinename,$EventRecord.TimeCreated) } Register-EventRecordWrittenEvent $EventLogWatcher-action $action$EventLogWatcher.Enabled =$True
Basic Example 3
This example will output to "C:\LockoutEvents.csv" for every event with the Event ID 4740 forwarded to the ForwardedEvents Log.$BookmarkToStartFrom= Get-BookmarkToStartFrom $EventLogQuery= New-EventLogQuery "ForwardedEvents"-query "*[System[(EventID=4740)]]"$EventLogWatcher= New-EventLogWatcher $EventLogQuery$BookmarkToStartFrom$Action= { $EventRecord | Select-Object TimeCreated, ID, Level, MachineName, RecordID | Convertto-CSV -Outvariable OutData -NoTypeInformation $Outdata[1..($Outdata.count - 1)] | ForEach-Object {Out-File -InputObject $_"C:\LockoutEvents.csv"-append} Register-EventRecordWrittenEvent $EventLogWatcher-action $action$EventLogWatcher.Enabled =$True
Basic Example 4
This is the same as Example 2, but makes use of a custom BookmarkStreamPath to save the EventBookmark to a specific location rather than the default ".\bookmark.stream". The example creates a $BookmarkStreamPath variable, and sets it to "C:\EventlogWatchers\Securitylog.stream". The Variable is then passed to both Get-BookmarkToStartFrom to read the last EventBookmark and Register-EventRecordWrittenEvent to write the newest EventBookmark.$BookmarkStreamPath="C:\EventlogWatcher\SecurityLog.stream"$BookmarkToStartFrom= Get-BookmarkToStartFrom $BookmarkStreamPath$EventLogQuery= New-EventLogQuery "Security"$EventLogWatcher= New-EventLogWatcher $EventLogQuery$BookmarkToStartFrom$action= { write-host ("[ {0:g} ] Found Event {1} from {2} @ {3:g} "-f $Event.TimeGenerated,$EventRecord.RecordID,$EventRecord.Machinename,$EventRecord.TimeCreated) } Register-EventRecordWrittenEvent $EventLogWatcher$BookmarkStreamPath-action $action$EventLogWatcher.Enabled =$True