PowerShell Module for using Microsoft Windows Event Viewer Custom Views for Event Log Filtering in PowerShell
- First version published on GitHub
Most administrators, investigators or supporters have at some point in time, made one or more Custom Views in the Microsoft Windows Event Viewer and then copied parts, or the whole filter, into a PowerShell-script to try and get the same events outputted in their shell. This simple module resolves that, now you just export your Custom View in the Event Viewer to an XML, and uses it directly with the Get-EventFromCustomViewXML, to output the exact same Events.
Currently not published in PSGallery, so you have to download the Module and Import it the hard way... (Sorry)
Works perfect with my Event Viewer Custom Views, a small collection of useful Custom Views, both for security analysis and forensics.
Get a list of the Custom Views using the Get-EventViewerCustomViewXML:
PS C:\> Get-EventViewerCustomViewXML -Recurse | Sort-Object Name FileName Name Description -------- ---- ----------- 01D97C.xml Administrator Logon (Failed) Failed Administrator Account Logons 049517.xml Legacy Kerberos Ticket Encryption Types Legacy Kerberos Ticket Encryption Types: DES-CBC-CRC, DES-CBC-MD5... 0226D5.xml NTLMv1 Authentications NTLMv1 (Windows New Technology LAN Manager) Authentications PS C:\> _
Note that when using -Recurse it can be helpful to use the below syntax, to also see where the XML's are located.
PS C:\> Get-EventViewerCustomViewXML -Recurse | Sort-Object Name | Select-Object FileName,Name,Path FileName Name Path -------- ---- ---- 01D97C.xml Administrator Logon (Failed) C:\CustomViews 049517.xml Legacy Kerberos Ticket Encryption Types C:\CustomViews 0226D5.xml NTLMv1 Authentications C:\CustomViews PS C:\> _
Then get the Event wanted, using the Get-EventFromCustomViewXML:
PS C:\> Get-EventFromCustomViewXML .\CustomViews01円D97C.xml ProviderName: Microsoft-Windows-Security-Auditing TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 05-12-2022 02:13:47 4625 Information An account failed to log on.... 04-12-2022 22:09:29 4625 Information An account failed to log on.... PS C:\> _
The list of the functions contained in this module.
<# .SYNOPSIS Get Event from the EventLog using a Event Viewer Custom View XML. .DESCRIPTION Get Event from the EventLog using a Event Viewer Custom View XML .PARAMETER XMLFile Path for the Event Viewer Custom View XML file .EXAMPLE PS C:\CustomFilters> Get-EventFromCustomViewXML -XMLFile .01円D97C.xml ProviderName: Microsoft-Windows-Security-Auditing TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 05-12-2022 02:13:47 4625 Information An account failed to log on.... 04-12-2022 22:09:29 4625 Information An account failed to log on.... 04-12-2022 22:09:28 4625 Information An account failed to log on.... .NOTES FUNCTION: Get-EventFromCustomViewXML AUTHOR: Tom Stryhn GITHUB: https://github.com/tomstryhn/ .INPUTS [string] .OUTPUTS [System.Diagnostics.Eventing.Reader.EventLogRecord] #>
<# .SYNOPSIS Get Name and Description from exported Microsoft Event Viewer Custom View XML .DESCRIPTION Filtering on XML files, and will try and sort out non-Custom View XMLs. .PARAMETER Path Path to parse (Defaults to Get-Location) .PARAMETER Recurse Will do a recursive search from the Path .EXAMPLE PS C:\EventViewer> Get-EventViewerCustomViewXML -Recurse FileName Name Description -------- ---- ----------- 049517.xml Legacy Kerberos Ticket Encryption Types Legacy Kerberos Ticket Encryption Types: DES-CBC-CRC, DES-CBC-MD5... 0226D5.xml NTLMv1 Authentications NTLMv1 (Windows New Technology LAN Manager) Authentications .NOTES FUNCTION: Get-EventViewerCustomViewXML AUTHOR: Tom Stryhn GITHUB: https://github.com/tomstryhn/ .INPUTS [string] .OUTPUTS [System.Management.Automation.PSCustomObject] #>