Search for records in the event viewer after the last run (not the entire event log), remove duplicate - Output Logon type for a specific OU users

Hi,
The following code works perfectly for me and give me a list of users for a specific OU and their respective logon types :-
$logFile = 'c:\test\test.txt'
$_myOU = "OU=ABC,dc=contosso,DC=com"
# LogonType as per technet
$_logontype = @{
    2 = "Interactive" 
    3 = "Network"
    4 = "Batch"
    5 = "Service"
    7 = "Unlock"
    8 = "NetworkCleartext"
    9 = "NewCredentials"
    10 = "RemoteInteractive"
    11 = "CachedInteractive"
Get-WinEvent -FilterXml "<QueryList><Query Id=""0"" Path=""Security""><Select Path=""Security"">*[System[(EventID=4624)]]</Select><Suppress Path=""Security"">*[EventData[Data[@Name=""SubjectLogonId""]=""0x0""
or Data[@Name=""TargetDomainName""]=""NT AUTHORITY"" or Data[@Name=""TargetDomainName""]=""Window Manager""]]</Suppress></Query></QueryList>" -ComputerName
"XYZ" | ForEach-Object {
    #TargetUserSid
    $_cur_OU = ([ADSI]"LDAP://<SID=$(($_.Properties[4]).Value.Value)>").distinguishedName
    If ( $_cur_OU -like "*$_myOU" ) {
        $_cur_OU
        #LogonType
        $_logontype[ [int] $_.Properties[8].Value ]
#Time-created
$_.TimeCreated
    $_.Properties[18].Value
} >> $logFile
I am able to pipe the results to a file however, I would like to convert it to CSV/HTML When i try "convertto-HTML"
function it converts certain values . Also,
a) I would like to remove duplicate entries when the script runs only for that execution. 
b) When the script is run, we may be able to search for records after the last run and not search in the same
records that we have looked into before.
PLEASE HELP ! 

If you just want to look for the new events since the last run, I suggest to record the EventRecordID of the last event you parsed and use it as a reference in your filter. For example:
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624 and
EventRecordID>46452302)]]</Select>
    <Suppress Path="Security">*[EventData[Data[@Name="SubjectLogonId"]="0x0" or Data[@Name="TargetDomainName"]="NT AUTHORITY" or Data[@Name="TargetDomainName"]="Window Manager"]]</Suppress>
  </Query>
</QueryList>
That's this logic that the Server Manager of Windows Serve 2012 is using to save time, CPU and bandwidth. The problem is how to get that number and provide it to your next run. You can store in a file and read it at the beginning. If not found, you
can go through the all event list.
Let's say you store it in a simple text file, ref.txt
1234
At the beginning just read it.
Try {
$_intMyRef = [int] (Get-Content .\ref.txt)
Catch {
Write-Host "The reference EventRecordID cannot be found." -ForegroundColor Red
$_intMyRef = 0
This is very lazy check. You can do a proper parsing etc... That's a quick dirty way. If I can read
it and parse it as an integer, I use it. Else, I just set it to 0 meaning I'll collect all info.
Then include it in your filter. You Get-WinEvent becomes:
Get-WinEvent -FilterXml "<QueryList><Query Id=""0"" Path=""Security""><Select Path=""Security"">*[System[(EventID=4624 and EventRecordID&gt;$_intMyRef)]]</Select><Suppress Path=""Security"">*[EventData[Data[@Name=""SubjectLogonId""]=""0x0"" or Data[@Name=""TargetDomainName""]=""NT AUTHORITY"" or Data[@Name=""TargetDomainName""]=""Window Manager""]]</Suppress></Query></QueryList>"
At the end of your script, store the last value you got into your ref.txt file. So you can for example get that info in the loop. Like:
$Result += $LogonRecord
$_intLastId = $Event.RecordId
And at the end:
Write-Output $_intLastId | Out-File .\ref.txt
Then next time you run it, it is just scanning the delta. Note that I prefer this versus the date filter in case of the machine wasn't active for long or in case of time sync issue which can sometimes mess up with the date based filters.
If you want to go for a date filtering, do it at the Get-WinEvent level, not in the Where-Object. If the query is local, it doesn't change much. But in remote system, it does the filter on the remote side therefore you're saving time and resources on your
side. So for example for the last 30 days, and if you want to use the XMLFilter parameter, you can use:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]]</Select>
</Query>
</QueryList>
Then you can combine it, etc...
PS, I used the confusing underscores because I like it ;)
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Similar Messages

  • How do I search for a specific word in the code using Dreamweaver?

    I need to search for a specific word in the code for all of my website pages. How can I do that using Dreamweaver?

    To search local files of a Defined Site in DW...
    Open the Find & Replace tool with Ctrl + F
    Change the Find In dropdown to Entire Current Local Site
    Change the Search dropdown to Text or Source code
    Add the text to find in the Find field
    Add the text to replace in the Replace field (or nothing if you just want to delete the text)
    Hit Replace All

  • HT204266 how to search for a specific app eg tetris in the app store?

    Hi is there anyone that can please help me on how to search for a specific app eg tetris in the app store? Thanks

    Hi Friend,
    You just write down the name of the app or for what the app is used for (eg, write down Notes and then will appear a lot of options), then download what you wish.
    Hope it will be helpful

  • While Installation of 11g database creation time error ORA-28056: Writing audit records to Windows Event Log failed Error

    Hi Friends,
    OS = Windows XP 3
    Database = Oracle 11g R2 32 bit
    Processor= intel p4 2.86 Ghz
    Ram = 2 gb
    Virtual memory = 4gb
    I was able to install the oracle 11g successfully, but during installation at the time of database creation I got the following error many times and I ignored it many times... but at 55% finally My installation was hanged nothing was happening after it..... 
    ORA-28056: Writing audit records to Windows Event Log failed Error  and at 55% my Installation got hung,,,, I end the installation and tried to create the database afterward by DBCA but same thing happened....
    Please some one help me out, as i need to install on the same machine .....
    Thanks and Regards

    AAP wrote:
    Thanks Now I am able to Create a database , but with one error,
    When I created a database using DBCA, at the last stage I got this error,
    Database Configuration Assistant : Warning
    Enterprise Manager Configuration Failed due to the Following error Listener is not up or database service is not registered with it.  Start the listener & Registered database service & run EM Configuration Assistant again....
    But when I checked the listener was up.....
    Now what was the problem,  I am able to connect and work through sqlplus,
    But  I didnt got the link of EM and when try to create a new connection in sql developer it is giving error ( Status : failure - Test Failed the Network Adapter could not establish the connection )
    Thanks & Regards
    Creation of the dbcontrol requires a connection via the listener.  When configuring the dbcontrol as part of database creation, it appears that the dbcontrol creation step runs before the dynamic registration of the databsase with the listener is complete.  Now that the database itself is completed and enough time (really, just a minute or two) has passed to allow the instance to register, use dbca or emca to create the dbcontrol.
    Are you able to get a sqlplus connection via the listener (sqlplus scott/tiger@orcl)?  That needs to be the first order of business.

  • How do i search for a specific artist in iTunes store on iPhone 5?

    How do i search for a specific artist in iTunes store on iPhone 5?

    Open the iTunes app > Search > then type the Artist's name

  • How do I search for a specific name of an email sender?

    I'm trying to locate, in the easiest way possible, a name that should have appeared in my inbox... How do I search for a specific name?

    type it in the big box on the toolbar and press enter.

  • How to Search for a specific element in a MultiGraph?

    Hi there
    Im trying to implement a Multigraph ADT in Java. Multigraph is a graph that has multible edges connecting a node. I assume you all know what a Graph ADT looks like.
    So i think ive got all the basic methods functions of a normal graph/mulitgraph and now i want to search for a element in it
    The question is how will i so that?
    Do i use a breadth first search?
    But i thought a BFS traverses all the elements in a graph? And how can i use a BFS to search for a specific element in a graph?
    Thanks

    Hey there
    thanks for your reply but i still some query.
    I thought of doing that but i want to remember the nodes i revisted to get to the target (not all - but the quickest route to that node)
    My design so far is:
    have 3 Interface namely Graph, Node & Edge.
    Classes will inherit those interface to provide the actual implementation as i want the details/coding to be abstract meaning i can give many different way of implementations.
    The graph class will add nodes & edges where when adding edges, edge will store 2 nodes in it respectively source & destination nodes.
    Both Node & Edges will be stored in graph using some data structures atm (arrayList i presume)
    My Design is that i want to (my aim of the task of searching) search for a node in the multigraph by inputting (maybe 2 nodes) into method - start node target node! The method should return a list of nodes to get to the target node.+
    So so far i have this wee algorithm in mind:
    +1. Input start + target node as parameters+
    +2. Use BFS to search the graph+
    +3. When reached target node - halt+
    +4. return the list of nodes that visited to get there (but not all - only the precise & fastest)+
    So will that work?
    If so how do i go about doing implementation?
    Thanks

  • Is it possible to search for a specific term or data in Numbers for iOS?

    I looked for similar questions, but all of the similar questions did not specify if they were talking about the Mac version or the iOS.  So I apologize if the question has been asked.
    Is there a way to search for a specific term or criteria in Numbers for iOS?
    My father owns a small business and has a large inventory of parts.  He wants a simple way to search his inventory for a particular part number and see how many of a the specific part number he has in his inventory, while not in the shop or having to call in.  He wants to take an iPad along with him.
    My first thought was to create an spreadsheet.  I have a basic knowledge of how spreadsheets work, and I don't think my father would like anything more complicated.
    I was thinking about making the 1st column list the part number, 2nd column list the quantity in the shop, 3rd column list the quantity in the truck.
    If Numbers for iOS is not able to do this, suggestions for alternatives are welcome.
    Thanks in advance

    Hi j4nitor
    Would the "Find" option in the "Tools" menu do the job?
    If you search for the part number, it will be highlightet, and with your outline for a setup, I guess that would give you the overview you are talking about.
    Hope it helps.
    Best regards
    Ole

  • How do i search for a specific music video instead of browsing through thousands

    how do i search for a specific music video instead of browsing through thousands?

    Type a keyword or two in the search area - shown in the upper right here (the oval area):

  • What is the easiest way to remove duplicate contacts on my Iphone?

    What is the easiest way to remove duplicate contacts on my Iphone and avoid them in the future?

    There are apps that will locate and remove duplicate contacts, such as My Contacts Backup Pro.  As for preventing them in the future, if you are syncing contacts both with iTunes and iCloud this will create duplicates.  If you are, pick one and disable the other.

  • What is the simplest way to remove duplicates on both iMac and iPad2?

    What is the simplest way to remove duplicate photos from both iMac &amp; iPad2?

    The implication here is that your music is only on the iPod, for if it is in iTunes, you need only do the restore. So you are really asking how you move the music from your iPod back into iTunes, so that when you restore it will go back to the iPod. Take a look at Para. 8 in this summary post I worked up.

  • Hi Apple Team, I would like to change the iCloud account on my iPhone, however it says I must 'delete the account' before doing so? Does this mean that I delete the entire existing account, or just delete it from my phone specifically?

    Hi Apple Team, I would like to change the iCloud account on my iPhone, however it says I must 'delete the account' before doing so? Does this mean that I delete the entire existing account, or just delete it from my phone specifically?

    From the iPhone only.

  • Is there a way to search for a specific keyword within the sites to which the bookmarks are linked? I need to search all linked sites in the bookmark folder without having to open each page and "find" manually.

    Currently, I must browse through 50 or so bookmarked pages to see if a specific topic is covered. I would like to be able to search all bookmarked pages at once for a specific keyword. For example, if I have 50 news sites bookmarked and I would like to see which pages have the word "tuna" in them, I would need to open each page individually and do a "find". If I could search all of those pages at once, then I would save an immense amount of time. I have looked on the add-ons and found nothing...

    1. Create a smart album and in the drop down in the top right corner select file status
    2. Check mark the file status box and select 'Offline'
    Now you should have all your 'Offline' (Yellow Exclamation and/or Red Slash) files.
    To reconnect..
    1. Select the missing files.
    2. Go to File and scroll to Manage Referenced Files
    The dialog box will have one of the photos selected
    3. Select the drive and folder that contains the referenced file and select it
    4. Click 'Reconnect All'
    This might not reconnect all of them, but the dialog box will still be open and you can reconnect the ones left.
    Narvon
    Message was edited by: Narvon

  • I get an error that says can't connect to the itunes store when I search for a specific artist only

    Hi all,
    When I try to search for music by a specific artist in the iTunes store on my iPhone 5, I get an error that says "Can't connect to the iTunes store".  This only happens when I search for music by this band.  I can search for other artists and listen to song clips and everything seems to be connecting to the iTunes store just fine.  But for some reason, it doesn't work with this artist.  The band name is July for Kings.  Not sure if anyone else has had this issue, but I hope so!
    Thanks,
    Rick

    IF you are not able to resolve your issue then contact Apple Support at https://getsupport.apple.com/GetproductgroupList.do?caller=ikb&PRKEYS=PL220,1316 29,PL113,PL302,PF3,PF4,PF9,PL303,PL339,p…
    hopefully they can help. You may also be interested to know that for some reason it is just not available to a lot of people at the same time. Appears to be an issue of more users than their servers can handle. Has happened periodically for at least 6 months that I know of but apparently users are able to use within several days if there are no other issues with the users device.

  • Ho do I search for a specific song in the new itunes store?  The search button is missing.

    I have always searched the iTunes store for specific songs by the song title and not by the album or artist.  Is this still possible?  I have spend an hour looking and have not found any way to search inside the store. 

    If you are missing the Search field you may be missing the entire top section, together with the progress bar when playing and the red, yellow and green buttons. This can happen if iTunes overlaps the top of the screen (which of course it shouldn't do).
    If this is the case, click and drag on the very bottom right-hand corner of the window (when in Library/Music or the iTunes Store) and drag upwards to reduce the height of the window. Then click on the bottom bar and drag downwards.

Maybe you are looking for