Have you ever had the need to query multiple computers for a specific string in some Event Log? Well, look no further! Here is a PowerShell script that does it for you!
–
# SCRIPT NAME: Search-EventLog-For-String.ps1 Param ( [string[]]$listOfServers, [string]$discoverDC, [string]$eventLogName, [string]$stringToSearchFor, [bool]$table, [bool]$list ) If ($discoverDC.ToUpper() -eq "LOCALDOMAIN") { $listOfServers = ([system.directoryservices.activedirectory.Domain]::GetCurrentDomain()).DomainControllers | ?{$_.IPAddress –ne $null} | %{$_.Name} } If ($discoverDC.ToUpper() -eq "LOCALSITE") { $adSiteLocalComputer = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().Name $listOfServers = ([system.directoryservices.activedirectory.Domain]::GetCurrentDomain()).DomainControllers | ?{$_.IPAddress –ne $null -And $_.SiteName -eq $adSiteLocalComputer} | %{$_.Name} } $relatedEvents = @() $listOfServers | %{ $relatedEventsOnServer = Get-WinEvent -ComputerName $($_) -LogName $eventLogName | ?{ $_.Message -match $stringToSearchFor} $relatedEvents += $relatedEventsOnServer } If ($table) { $relatedEvents | FT Id, MachineName, LogName, TimeCreated, Message -AutoSize } Else { $relatedEvents | FL Id, MachineName, LogName, TimeCreated, Message }
–
Some examples….
–
Search-EventLog-For-String.ps1 -listOfServers R2FSMBSVA.ADDMZ.LAN -eventLogName Security -stringToSearchFor "An Error occured during Logon" -table $true
Figure 1: Specifying A Single Server And Displaying In Table Format
–
Search-EventLog-For-String.ps1 -listOfServers R2FSMBSVA.ADDMZ.LAN -eventLogName Security -stringToSearchFor "An Error occured during Logon"
Figure 2: Specifying A Single Server And Displaying In List Format
–
Search-EventLog-For-String.ps1 -listOfServers R2FSMBSVA.ADDMZ.LAN,R2FSRODC5.ADDMZ.LAN,R2FSRODC6.ADDMZ.LAN -eventLogName Security -stringToSearchFor "An Error occured during Logon" -table $true
Figure 3: Specifying A List Of Servers And Displaying In Table Format
–
Search-EventLog-For-String.ps1 -listOfServers R2FSMBSVA.ADDMZ.LAN,R2FSRODC5.ADDMZ.LAN,R2FSRODC6.ADDMZ.LAN -eventLogName Security -stringToSearchFor "An Error occured during Logon"
Figure 4: Specifying A List Of Servers And Displaying In List Format
–
Search-EventLog-For-String.ps1 -discoverDC LOCALDOMAIN -eventLogName System -stringToSearchFor "This computer was not able to set up a secure session with a domain controller in domain" -table $true
Figure 5: Discovering All DCs (RWDCs And RODCs) In The Same AD Domain As The Server The Script Is Executed On And Displaying In Table Format
–
Search-EventLog-For-String.ps1 -discoverDC LOCALDOMAIN -eventLogName System -stringToSearchFor "This computer was not able to set up a secure session with a domain controller in domain"
Figure 6: Discovering All DCs (RWDCs And RODCs) In The Same AD Domain As The Server The Script Is Executed On And Displaying In List Format
–
Search-EventLog-For-String.ps1 -discoverDC LOCALSITE -eventLogName "Directory Service" -stringToSearchFor "KCC" -table $true
Figure 7: Discovering All DCs (RWDCs And RODCs) In The Same AD Site As The Server The Script Is Executed On And Displaying In Table Format
–
Search-EventLog-For-String.ps1 -discoverDC LOCALSITE -eventLogName "Directory Service" -stringToSearchFor "KCC"
Figure 8: Discovering All DCs (RWDCs And RODCs) In The Same AD Site As The Server The Script Is Executed On And Displaying In List Format
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 