i am trying to objectify the security event log by using the ConvertFrom-String PowerShell cmdlet, but am not able to work it out.
First i am getting the event/s from my DC.
$events = Get-WinEvent -ComputerName $comp FilterHashtable #{logname='security';id=4727}
Next i define my template.
$tmpl = #'
{Event:A security-enabled global group was created.}
Subject:
Security ID: S-1-5*
{SubjectName:Account Name: andrew}
Account Domain: DOMAIN
Logon ID: 0x16D280EB
New Group:
Security ID: S-1-5*
{GroupName:Group Name: test1}
Group Domain: DOMAIN
Attributes:
SAM Account Name: test1
SID History: -
Additional Information:
Privileges: -
'#
Finally i try to turn it into objects.
($events).message | ConvertFrom-String -TemplateContent $tmpl
But my output is only
Event: A security-enabled global group was created.
Instead, I want to get something like;
Event: A security-enabled global group was created
SubjectName: andrew
GroupName: test1
And i would like this to be compatible to loop through many similar events to pull out the right bits??
I posted the same question in the Microsoft forums and got an immediate answer, and so for those interested, here it is.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/42f8e6a3-4304-4215-b521-d611e3216e1c/eventlog-convertfromstring?forum=winserverpowershell
Related
There is any way to test a seed with a relatioship coming from a external source?
I'm trying to test the seeds before creating them, to do this I'm creating in this moment a relationship test but with an external source.
I would like to do something like this in the seeds/schema.yml:
version: 2
seeds:
- name: products_market
description: ""
columns:
- name: id_source
description: "ID source"
- name: id_target
description: "id target"
tests:
- relationship:
to: source('dt', 'products')
field: id_product
In this case the field id_target would be checked if exists the field id_product from dt.products
But I get the error
'test_relationship' is undefined. This can happen when calling a macro that does not exist. Check for typos and/or install package dependencies with "dbt deps".
The sources.yml
version: 2
sources:
- name: dt
tables:
- name: products
description: General Products
I saw this info but not sure if I'm doing it well or maybe there is another way to do this
https://docs.getdbt.com/reference/seed-properties
https://docs.getdbt.com/reference/resource-properties/tests
EDIT:
I was missing an 's' in the test relationships statement in the schema.yml. Anyway it doesn't look i'm doing it properly, it says there is no test or do nothing when I do dbt seed... or dbt build
version: 2
seeds:
- name: products_market
description: ""
columns:
- name: id_source
description: "ID source"
- name: id_target
description: "id target"
tests:
- relationship**s**:
to: source('dt', 'products')
field: id_product
Thanks in advance
Trying to config my first script
My goal is to automate an alert if my heater is in Error… there are many type error … The only state that is good is E-00: OK’
i would like to trigger the script only if the value is <> to state: "E-00: OK’
Is there a way to do that?
Script Yaml
alias: >-
Heater E10
sequence:
condition: state
entity_id: sensor.heater_error_string
state: "E-00: OK’
mode: single
icon: mdi:radiator
Yes, you can create server-side automation script which is triggered only when your text sensor entity value changes from OK to any other.
For example, you may try:
automation:
trigger:
- platform: state
entity_id: sensor.heater_error_string
from:
- "E-00: OK"
action:
- service: notify.mobile_phone_app
data:
message: heater is not ok
title: Heater Notification
mode: single
I'm actually looking for a way to get login history for a specific username.
I have tried these ways but didn't work:
1. eventid 4624
It only shows logins to the DC itself, Not in the entire domain. E.g. a user has logged in to the DC. So Eventviewer logs this as an event with eventid 4624. But if a user logs in to another server (not DC) , nothing will be logged in DC's Eventviewr.
2. eventid 4769
It's about tickets that DC creates and assigns. But is wasn't helpful.
So how can I get the login history of a user in entire domain?
I reproduce your scenario and getting the expected result.
Event ID 4624 - An account was successfully logged on.
This event records every successful attempt to log on to the local computer. It includes critical information about the logon type (e.g. interactive, RemoteInteractive , batch, network, or service), SID, username, network information, and more. Monitoring this particular event is crucial as the information regarding logon type is not found in DCs. you can get a user login history report without having to manually crawl through the event logs.
Open the PowerShell ISE → Run the following script, adjusting the timeframe:
# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *
# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)
# Store successful logon events from security logs with the specified dates and workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}
# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely
foreach ($e in $slogonevents){
# Logon Successful Events
# Local (Logon Type 2)
if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){
write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
}
# Remote (Logon Type 10)
if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){
write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
Reference : Active Directory: How to Get User Login History using PowerShell - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)
You can also try with one easiest alternative way using A tool like ADAudit Plus that audits specific logon events as well as current and past logon activity to provide a list of all logon-related changes for particular user.
Step 1 : Download ADAdudit Plus in your VM and install it.
Step 2: Add your Server name ,Username and password.
Step 3 : Follow the below picture to get the logon details of particular user.
Reference : https://www.manageengine.com/products/active-directory-audit/kb/ad-user-login-history-report.html
I have a database that I need to search that is full of windows event log entries.
Specifically, I need to return only a portion of the event message ('Account Name: John' in the example below). Unfortunately, this must be done with SQL, and there is not a set character that the string would start or end at and the 'John' portion could be any name in active directory.
This seems a little more like a job for Regex, but I was hoping there might be an alternative that I am missing.
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: WIN-R9H529RIO4Y\John
Account Name: John
Additional Information:
Caller Computer Name: WIN-R9H529RIO4Y
Thoughts?
This is probably not the most efficient solution to the problem, but it does seem to work.
I've left it verbose on purpose so that it can be understood, but you could easily condense this down into a single statement if you wanted to:
declare #string varchar(max) =
'A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: WIN-R9H529RIO4Y\John
Account Name: John
Additional Information:
Caller Computer Name: WIN-R9H529RIO4Y';
declare #AccountStartIndex int =
len(#string) - charindex(reverse('Account Name: '), reverse(#string));
declare #AccountEndIndex int =
charindex(char(13) + char(10), #string, #AccountStartIndex);
select substring(
#string,
#AccountStartIndex + 2,
#AccountEndIndex - #AccountStartIndex - 1);
It works by finding the last occurrence of Account Name: in the string and then working out the position of the newline following it. With these two pieces of information we can substring John out.
I have Warning message in my IIS 6 Viewer.How to solve this problem?
Event Type: Warning
Event Source: ASP.NET 2.0.50727.0
Event Category: Web Event
Event ID: 1309
Date: 11/3/2009
Time: 8:18:20 AM
User: N/A
Computer: PEB-BL05
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/3/2009 8:18:20 AM
Event time (UTC): 11/3/2009 1:18:20 AM
Event ID: 6d12e7ec9a314fd59153efb83329b5c3
Event sequence: 236
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1950175433/Root/myApp
Trust level: Full
Application Virtual Path: /attga
Application Path: C:\Inetpub\wwwroot\myApp\
Machine name: MyComMachine
Process information:
Process ID: 4528
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
Exception type: RowNotInTableException
Exception message: This row has been removed from a table and does not have any data. BeginEdit() will allow creation of new data in this row.
Yes, more info is really needed. On the surface it looks like you have a page that is manipulating a table and it encountered an error that was not handled, so IIS reset the worker process (handled your exception for you). Hwo do you troubleshoot? There are a number of ways, but the one I am most familiar with and use most frequently is to attach the debugger (cdb or windbg), set a BP on the exception that is occuring and then wait. You can then use the debugger to determine the page that is failing and anything more you want. To learn more about this process I'd recommend a book by John Robbins:
http://www.amazon.com/Debugging-Applications-Microsoft%C2%AE-Microsoft-Pro-Developer/dp/0735615365
This is an application error caused by what ever is running in the "myApp" folder.
Take a look at whats in there and then come back.