-
Notifications
You must be signed in to change notification settings - Fork 2
Example Searches
Here are some examples for how to search through your logs either in PowerShell (on the event collectors) or in Kibana (long-term storage).
View all events in the ForwardedEvents log:
PS C:\> Get-WinEvent -LogName ForwardedEvents
Pull event 4104 from the ForwardedEvents log:
PS C:\> Get-WinEvent -FilterHashtable @{Logname="ForwardedEvents"; ID=4104}
Search for events containing the string "admin" in the ForwardedEvents log:
PS C:\> Get-WinEvent -FilterHashtable @{Logname="ForwardedEvents"} | Where {$_.Message -like "*admin*"}
'grep'-style search for lines of events containing the case insensitive string "USB" in forwarded events:
PS C:\> Get-WinEvent -FilterHashtable @{Logname="ForwardedEvents"} | fl | findstr /i USB
Pull all errors (level=2) from forwarded events:
PS C:\> Get-WinEvent -FilterHashtable @{Logname="ForwardedEvents"; level=2}
Find all events with ID 4104:
event_id:4104
Search for events containing "admin":
message:*admin*
Find out if event logs have been cleared:
log_name:Security AND (event_id:517 OR event_id:1102)
Find out if local accounts are being created:
event_id:4720
Check to see if scheduled tasks are being created:
event_id:4698