How to clear a event log in Powershell 7 - powershell

in Powershell 5 we can clear a Windows-Event-Log in this way:
Get-EventLog -LogName * | % { Clear-EventLog -LogName $_.log }
how to do this in Powershell 7??? (using powershell only)
Powershell way of handling windows events is now with Get-WinEvent
but it appears no Clear-WinEvent is available
of course we can do this with wevtutil.exe
or even brute-forcing the logs file deletion after stopping the service...
but i'm asking only with native powershell code.

Well this is interesting. Clear-WinEvent indeed is not part of PowerShell 7. There was an issue raised to get it added but doesn't like that's going anywhere without more action.
The Microsoft approved way to do this is:
Import-Module Microsoft.PowerShell.Management -UseWindowsPowerShell
Get-EventLog -LogName * | % { Clear-EventLog -LogName $_.log }
This spins up a Windows PowerShell 5.1 process that runs in the background and invokes the Cmdlet via implicit remoting... not the best.
A better way would be to leverage the .NET EventLogSession.ClearLog method:
Get-WinEvent -ListLog * | foreach {
[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
}
Aside - PowerShell 7 module compatibility lists the Microsoft.PowerShell.Management module (that Get-EventLog and Clear-EventLog are part of) as 'Built into PowerShell 7'

Related

Is there a way to find which user run what application on a server using Powershell

I am trying to find a way to find out who has ran an application (for example SQL) on a server, just to get some idea.
I tried Get-Process but this doesn't give me historic information, I want to get historical information
Get-Process -IncludeUserName *
what I want the return resule is "name of application", "user who ran it" and the last datetime it was ran by that user'
As for ...
I am trying to find a way to find out who has ran an application (for
example SQL) on a server, just to get some idea.
What you are asking for here is software metering.
SQL is a service that is always running once it is installed, so, no individual user is ever going to be running it. So, that is a bad example. MS Word for example would be a better example.
Yet there is nothing native in PowerShell that does this, software metering, but of course PowerShell can look at event logs. Yet if your auditing is not setup correctly then it's moot. This is better for a software metering tool, and there are several out there. So, why try and reinvent the wheel.
As for ...
I tried Get-Process but this doesn't give me historic information, I
want to get historical information
That is not what a process is nor what Get-Process is for. It, Get-Process only checks for and lists whatever process is currently running, regardless of what/who launched it.
As for...
what I want the return resule is "name of application", "user who ran
it" and the last datetime it was ran by that user'
As long as the process is running, you can get this, with that cmdlet.
However, what are you trying to accomplish by this?
Again, there are purpose built tools to meter software use.
https://learn.microsoft.com/en-us/sccm/apps/deploy-use/monitor-app-usage-with-software-metering
If you must go down this reinvent the wheel road, using scripting, then you need a task watcher on the target machines, which watches for the WinWord process to appear.
Get-Process -IncludeUserName |
Where ProcessName -EQ 'Winword'
... you then write those results to a file or database or your own event log each time you see that process.
Use PowerShell to Create and to Use a New Event Log
New-EventLog -LogName ScriptingGuys -Source scripts
When the command runs, no output appears to the Windows PowerShell console. To ensure the command actually created a new event log, I use
the Get-EventLog cmdlet with the –List parameter. Here is the command
and the associated output.
Write-EventLog -LogName ScriptingGuys -Source scripts -Message “Dude, it works … COOL!” -EventId 0 -EntryType information
Or just to a file
Get-Process -IncludeUserName |
Where ProcessName -EQ 'Winword' |
Select-Object -Property Name, StartTime, Username |
Export-Csv -Path 'F:\Temp\AppLaunchLog.csv' -Append
Import-Csv -Path 'F:\Temp\AppLaunchLog.csv'
# Results
Name StartTime UserName
---- --------- --------
WINWORD 5/23/2019 9:02:53 PM WS01\LabUser001

View recent remote powershell connections

Is there an event log of some kind that is made when a remote pssession is initiated on a computer? I need to be able to see where a remote session has originated from.
Currently I am running
Get-EventLog -LogName "Windows powershell" -newest 100 | Format-List -Property * | where {$_.UserID -eq "username"}
But it is not filtering and/or showing remote connections.
We are here to help you with code issues. This is really not a code issue, but a understanding of how to set up and where correlate such detail. So, it's potentially a question for another forum.
Anyway, to get you close to what you are after, there are extra steps you need to employ to get such information. More on that in a bit.
Now, once you get this all setup and you write your script to pull / look at such info and you are having issues with that, then post that back here for folks to see what can be done
So, that leads us to here:
There are three general areas for logging available:
• Module Logging
• Script Block Logging
• PowerShell Transcription
If you have not done so, I would advise enabling on PS auditing and script logging for more insight into this use case and well as transcript logging (which can capture all commands / code executed on a host machine). If you set all this up properly, you fist look to the transcript log for details and well as the log name you reference in your post for other details.
Set this enterprise wide via GPO or DSC.
There is lot's of guidance on how to set this up.
For Example:
Audit PowerShell Usage using Transcription and Logging
Get-Command -Name '*transcript*'
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Get-TRSTranscriptionJob 3.3.234.0 AWSPowerShell
Cmdlet Get-TRSTranscriptionJobList 3.3.234.0 AWSPowerShell
Cmdlet Start-Transcript 3.0.0.0 Microsoft.PowerShell.Host
Cmdlet Start-TRSTranscriptionJob 3.3.234.0 AWSPowerShell
Cmdlet Stop-Transcript 3.0.0.0 Microsoft.PowerShell.Host
https://learn.microsoft.com/en-us/powershell/wmf/5.0/audit_overview
Practical PowerShell Security: Enable Auditing and Logging with DSC
https://blogs.technet.microsoft.com/ashleymcglone/2017/03/29/practical-powershell-security-enable-auditing-and-logging-with-dsc
More New Stuff in PowerShell V5: Extra PowerShell Auditing
Get-Module Microsoft.* | Select Name, LogPipelineExecutionDetails
Get-Module Microsoft.* | ForEach { $_.LogPipelineExecutionDetails = $True }
(Import-Module ActiveDirectory).LogPipelineExecutionDetails = $True
Get-WinEvent -FilterHashtable #{LogName='Windows PowerShell';Id ='800'} -MaxEvents 1 | Select -Expand Message
https://learn-powershell.net/2014/08/26/more-new-stuff-in-powershell-v5-extra-powershell-auditing
Investigating PowerShell: Command and Script Logging
https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging

SCCM Compliance state always 'Compliant' when remediation script runs

We're trying to use SCCM 2012 R2 to run some checks on clients and fix problems when needed. For this we use the PowerShell 'Script' option.
Problem description:
When a 'Discovery script' reports ‘Non-Compliant’ the ‘Remediation script’ is launched. Regardless of the output of the ‘Remediation script’, the result in the report on the client in ‘Configuration Manager > Configurations’ is always ‘Compliant’ even when the ‘Remediation script’ failed to fix the issue and as a result has different output then defined in the ‘Rules for compliance conditions’.
It seems that from the moment a ‘Remediation script’ is selected, the output of the SCCM Compliance State is always ‘Compliant’.
Example:
- Situation:
When there are files or folders in the folder ‘C:\Users\me\Downloads\Input_Test’ the ‘Discovery script’ reports ‘Not compliant to anything’ and kicks of the ‘Remediation script’. The remediation script takes action and can’t fix the problem so it reports back something else then ‘Compliant’, like ‘Non-Compliant’. The SCCM Compliance State should say after execution of the ‘Remediation script’: ‘Non-Compliant’ (which is not the case).
- PowerShell Discovery script:
$Paths = Get-ChildItem -Path 'C:\Users\me\Downloads\Input_Test' | Select -ExpandProperty FullName
New-EventLog -LogName Application -Source SCCMCompliance
if ($Paths) {
$Compliance = 'Non-Compliant'
Write-EventLog -LogName Application -Source SCCMCompliance -EntryType Warning -EventID 1 -Message “Discovery script: Non-Compliant”
}
else {
$Compliance = 'Compliant'
Write-EventLog -LogName Application -Source SCCMCompliance -EntryType Information -EventID 0 -Message “Discovery script: Compliant”
}
$Compliance
- PowerShell Remediation script:
Write-Output 'Non-Compliant'
Write-EventLog -LogName Application -Source SCCMCompliance -EntryType Warning -EventID 1 -Message “Remediation script: Non-Compliant $Paths”
- SCCM Rules for compliance conditions:
- SCCM Compliance State in the Configuration Manager:
In the Windows event viewer all steps can be tracked easily. Am I missing something super obvious here?
After much pain and hurt myself and #DarkLite1 have found that SCCM does not check compliance state after it has performed remediation
From the moment you use a 'Remediation script' the only 2 possible Compliance statusses are: 'Compliant' or 'Exit with error code'. This is done in PowerShell with 'Exit 1'.
For more information please see.
https://social.technet.microsoft.com/Forums/en-US/0f0f3e6f-7e9f-4376-a926-fc0b6aef5bf1/sccm-compliance-state-always-compliant-when-remediation-script-runs?forum=configmanagersecurity

PowerShell: get-eventlog takes too long to complete

I am trying to script the review of the past 30 days of the Application and System Event Logs on remote servers, looking for only Warnings, Errors, or Critical entries.
Borrowing from what I have found here and in other forums, I have come up with:
$Date = Get-Date
$Range = $Date.AddDays(-30)
$Range = $range.ToShortDateString();
$LogName = Read-Host "Which Log? (Application, System)"
$Server = Read-Host "Please Enter Server Name"
get-eventlog $LogName -ComputerName $Server -After $range | where {$_.EntryType -eq "Error" -or $_.EntryType -eq "Warning" -or $_.EntryType -eq "Critical"}
This seems to run fairly quickly, but then hangs several (5-10+) minutes before returning to a prompt, if it does....
Note: if I remove the code:
-After $range
I can simply break the output with ctrl-c and get on with my day, but I'd rather it run as intended and then stop...
So: Any ideas on how to eliminate this hang?
I am also open to ideas on how to make the code more elegant (and faster)!
And I wouldn't mind the script checking both the Application and System logs without having to run twice....
Using the -EntryType string-array parameter on Get-EventLog is much faster than retrieving the entire event log and then filtering with Where-Object
Try get-eventlog -Logname System -EntryType ("Error", "Warning")
However... if I put "Critical" in the -EntryType array, I get: The argument "Critical" does not belong to the set "Error,Information,FailureAudit,SuccessAudit,Warning" specified by the ValidateSet attribute. which makes me wonder whether you should be heeding the advice as listed in Get-Help Get-EventLog:
The cmdlets that contain the EventLog noun (the EventLog cmdlets) work
only on classic event logs. To get events from logs that use the
Windows Event Log technology in Windows Vista and later versions of
Windows, use Get-WinEvent.
Using Get-WinEvent instead, I think this is what you want:
Get-Winevent -FilterHashtable #{LogName="System","Application"; Level=1,2,3; startTime=$range}
That will check for events of level 1, 2, or 3 (Critical, Error, Warning, respectively), and search both the Application and System logs in the same invocation.
I found that for remote systems, I could query several systems at once faster than I could individually, using the same command, if I wrapped it into an Invoke-Command. This is my solution. The more systems, the more time it saved. YMMV
$command = {Get-EventLog -LogName Application -After (Get-Date).AddHours("-24")}
Invoke-Command -ComputerName "foo1","foo2","foo3","foo4" -ScriptBlock $command

powershell: get-winevent has no message data?

When I run the script below to retrieve log files, the get-winevent "message" field is blank, but has data if I run get-eventlog. Any ideas why?
#has message data
Get-Eventlog -LogName application -Newest 10
#date 10 days ago
$EventStartDate = get-date("10 May 2012")
$EventEndDate = get-date("11 May 2012")
$EventLogNames = #("Application", "system")
#critea for winevent
$EventCritea = #{logname = $EventLogNames; StartTime=$EventStartDate; EndTime=$EventEndDate}
#Retrieves the event log
$RetreivedEvents = Get-WinEvent -computername localhost -FilterHashtable $EventCritea
$RetreivedEvents | fl id, logname, MachineName, Message, TimeCreated
What locale are you running under?
There is a .NET bug where the underlying .NET method (that Get-WinEvent uses) fails to populate localised fields (like Message) in some locales (like en-GB).
Fix is to switch to en-US for the command:
$orgCulture = Get-Culture
[System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"
# Perform Get-WinEvent
[System.Threading.Thread]::CurrentThread.CurrentCulture = $orgCulture
I believe this is because the messages are hidden in a property value. To display all messages, pipe the get-winevent to the select statement with the following expressions:
#{Label='Messages';Expression={$_.properties.Value}}
If you wish to display a specific message, for instance Logon Process (In security logs), use the expression:
#{Label='Logon Process';Expression={$_.properties.Value[3]}}
I know I have seen get-winevent not work on Windows Server 2003 in the past when I have tried it. Basically the PS environment said get-winevent didn't work for 2003. That may have been PS v1 then, so I am not sure if that was resolved with newer versions of PS: I am on 2K8 R2 now.
On my
What PSHost are you running under?
I am experiencing a problem on PS V2.0 running on windows 7 accessing W2k8. If run within a Powershell console or within Powershell ISE it retrieves all data. However if running within a runspace or from PowerGUI (pro) it returns only a partial subset which does not include the Message property.
[EDIT]
Richard's post allows me to work around the problem but it is very strange because the culture in the working PS console is 'en-GB' and the culture in the non working PowerGui Script Editor is 'en-GB' which only works if I change the culture to 'en-US'.
Freaky
Adding the following line at the top of my script worked for me (taken from Richards code Snippet) ;
[System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"
[PS 2.0] Note that a culture change is only valid for the current pipeline.
See Culture Gotchas
So the command to temporarily change culture + get-winevent need to be grouped either in a script block (enclosed within "{...}") or on one line separated by ";".
I discovered this when trying to use get-winevent on system log on Server 2008. Messages came up empty, and I needed to change the culture from nl-BE to en-US.