Project Description
A PowerShell module that provides some additional functions to enhance PowerShell Eventing in relation to Windows Event Log events. Subscriptions can be made and actions taken when new events are written to a log. In a sense, this can be used as "poor mans" auditing system.
These functions can be used in combination with the Windows Event Forwarding (http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx) and the ForwardedEvents Log to basically create a working auditing system. Once you have a working Windows Event Collector Server established. These functions can monitor incoming events and run whatever action you need to occur.
Some of this can be accomplished with WMI Events, but unfortunately the ForwardedEvents Log is not available as a WMI trigger. Also, the Functions provide a bookmarking feature to resume monitoring from where it left off on the last run. This means that a script can be built and set as a scheduled task to essentially run as an "agent" that will always process the given Event Log up to the current Event.
Module Requirements
This module is inteded for, and has only been tested on Windows PowerShell 2.0
Installing the Module
Command List
Get-BookmarkToStartFrom
New-EventLogQuery
New-EventLogWatcher
Register-EventRecordWrittenEvent
Additional Information
Important Note
This module is provided "as-is" without any warranty. Support and updates will be provided as time allows. However, I would always be interested in anyone looking to help with the project, and enhance or improve overall functionality.
A PowerShell module that provides some additional functions to enhance PowerShell Eventing in relation to Windows Event Log events. Subscriptions can be made and actions taken when new events are written to a log. In a sense, this can be used as "poor mans" auditing system.
These functions can be used in combination with the Windows Event Forwarding (http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx) and the ForwardedEvents Log to basically create a working auditing system. Once you have a working Windows Event Collector Server established. These functions can monitor incoming events and run whatever action you need to occur.
- Write information to the host about the new events
- Write the events to a log file
- Email alerts
- Export the Event XML data into SQL for long term storage
- Just about any other action you would like to occur...
Some of this can be accomplished with WMI Events, but unfortunately the ForwardedEvents Log is not available as a WMI trigger. Also, the Functions provide a bookmarking feature to resume monitoring from where it left off on the last run. This means that a script can be built and set as a scheduled task to essentially run as an "agent" that will always process the given Event Log up to the current Event.
Module Requirements
This module is inteded for, and has only been tested on Windows PowerShell 2.0
Installing the Module
- Download the latest release ZIP
- Extract the folder, and store in your user PowerShell Modules folder (typically %userprofile%\Documents\WindowsPowerShell\Modules)
- From the PowerShell console type: Import-Module EventLogWatcher
Command List
Get-BookmarkToStartFrom
New-EventLogQuery
New-EventLogWatcher
Register-EventRecordWrittenEvent
Additional Information
- This module is based on information found within the MSDN Event Log Scenarios (http://msdn.microsoft.com/en-us/library/bb671204(v=VS.90).aspx)
- Information regarding the Classes used can also be found within the MSDN System.Diagnostics.Eventing.Reader Namespace (http://msdn.microsoft.com/en-us/library/bb353651.aspx)
Important Note
This module is provided "as-is" without any warranty. Support and updates will be provided as time allows. However, I would always be interested in anyone looking to help with the project, and enhance or improve overall functionality.