I'm trying to export security log entries to a CSV file to perform the analysis. The script should count the number of success and failure audits logged, provide the count associated with each, and the most common event ID.

Ahmed ELHabashi 1 Reputation point
2022-03-26T20:48:07.213+00:00

Hello All,

I'm Trying to Get-Eventlog related to Security logs for SuccessAudit, FailuerAudit, and Export them in CSV file and after Exporting, I need to sort the result of Success and Failure for all logs provide the count with each and the most common EventID, I'm written this script and after the export happened the result for the second part the same,

Please any Help with this code or any hint.

Set-Variable -Name EventAgeDays -Value 7 #we will take events for the latest 7 days
Set-Variable -Name CompArr -Value @("Srv1") # replace it with your server names
Set-Variable -Name LogNames -Value @("Security") # Checking app and system logs
Set-Variable -Name EventTypes -Value @("SuccessAudit","FailureAudit" ) # Loading only SuccessAudit,FailureAudit
Set-Variable -Name ExportFile -Value ".\Logs.csv"

foreach($comp in $CompArr)
{
foreach($log in $LogNames)
{
Write-Host Processing $comp\$log
$el = get-eventlog -ComputerName $comp -log $log -EntryType $EventTypes
}
}
Write-Host -Fore Red Exporting to $ExportFile
$el_sorted|Select EntryType, Source, EventID, MachineName | Export-CSV $ExportFile -NoTypeInfo #EXPORT
Write-Host -Fore Green "Done!"

$Success = Import-Csv -Path ".\Logs.csv" | Sort-Object { $.Keywords -like "SuccessAudit" } | Measure-Object | Select-Object -ExpandProperty Count
$Failure = Import-Csv -Path ".\Logs.csv" | Sort-Object { $
.Keywords -like "FailureAudit" } | Measure-Object | Select-Object -ExpandProperty Count
$AuditTotal = $Success + $Failure
$EventID1 = Import-Csv -Path ".\Logs.csv" | Sort-Object { $.Keywords -like "SuccessAudit" } | Group-Object EventID | Sort-Object Count -Descending | Select-Object -ExpandProperty Values -First 1
$EventID2 = Import-Csv -Path ".\Logs.csv" | Sort-Object { $
.Keywords -like "FailureAudit" } | Group-Object EventID | Sort-Object Count -Descending |Select-Object -ExpandProperty Values -First 1
Write-Host -Fore Green "Number of Audit Failures:" $Failure "failures of" $AuditTotal "entries"
Write-Host -Fore Red "Most Common Event ID:" $EventID1
Write-Host -Fore Green "Number of Audit Successes:" $Success "successes of" $AuditTotal "entries"
Write-Host -Fore Red "Most Common Event ID:" $EventID2

Thanks

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,504 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Rich Matheisen 46,476 Reputation points
    2022-03-27T02:23:47.49+00:00

    This should do what you want without the need for intermediate files:

    $EventAgeDays   = 7                                     # we will take events for the latest 7 days
    $CompArr        = @(".")                                # replace it with your server names
    $LogNames       = @("Security")                         # Checking app and system logs
    $EventTypes     = @("SuccessAudit", "FailureAudit" )    # Loading only SuccessAudit,FailureAudit
    $SuccessCount   = 0
    $FailureCount   = 0
    $AuditTotal     = 0
    $SuccessByEvent = @{}
    $FailureByEvent = @{}
    
    foreach ($comp in $CompArr) {
        foreach ($log in $LogNames) {
            Write-Host Processing $comp\$log
            Get-EventLog -ComputerName $comp -log $log -EntryType $EventTypes |
                ForEach-Object{
                    if ($_.EntryType -eq "SuccessAudit"){
                        $SuccessCount++
                        $SuccessByEvent[$_.EventID]++
                        $AuditTotal++
                    }
                    elseif ($_.EntryType -eq "FailureAudit"){
                        $FailureCount++
                        $FailureByEvent[$_.EventID]++
                        $AuditTotal++
                    }
                }
        }
    }
    $MostFrequentSuccessEventCount = 0
    $MostFrequentSuccessEventID = 0
    $SuccessByEvent.GetEnumerator() |
        ForEach-Object{
            if ($_.Value -gt $MostFrequentSuccessEventCount){
                $MostFrequentSuccessEventCount = $_.Value
                $MostFrequentSuccessEventID = $_.Key
            }
        }
    
    $MostFrequentFailureEventCount = 0
    $MostFrequentFailureEventID = 0
    $FailureByEvent.GetEnumerator() |
        ForEach-Object{
            if ($_.Value -gt $MostFrequentFailureEventCount){
                $MostFrequentFailureEventCount = $_.Value
                $MostFrequentFailureEventID = $_.Key
            }
        }
    
    Write-Host -Fore Green "Number of Audit Failures:" $FailureCount "failures of" $AuditTotal "entries"
    Write-Host -Fore Red "Most Common Event ID:" $MostFrequentFailureEventID "($MostFrequentFailureEventCount)"
    Write-Host -Fore Green "Number of Audit Successes:" $SuccessCount "successes of" $AuditTotal "entries"
    Write-Host -Fore Red "Most Common Event ID:" $MostFrequentSuccessEventID "($MostFrequentSuccessEventCount)"
    
    0 comments No comments

  2. Ahmed ELHabashi 1 Reputation point
    2022-03-27T17:53:17.32+00:00

    Thanks a lot Rich Matheisen,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.