I wrote a script to remotely retrieve event logs in PowerShell, but I am not a fan of how the script creates its own event log entries.
In particular, this script captures several types of event identifiers, including login / logout events. Recently, I was asked to run a script to receive events for another user and would need to get this data in a few hours. I usually run the script and let it work most of the day (because there is usually a lot of data), but this time, to speed up the process, I deployed 4 instances of the script to extract this data faster than usual. Each instance of the script looked at a different time interval, so that all 4 scripts that were combined were selected in the requested time frame.
In 3 hours or so, I had more than a million login attempts for my user ID on this remote computer. I had so many logins that I finished rewriting the event log data, initially I was asked to pick up.
Lessons learned, now I'm exploring how to do it faster, more efficiently and more reliably.
Here's the heart of my code, pretty simple and simple, and it works for the most part.
$output = Get-EventLog `
-instanceID 4672,4647,4634,4624,4625,4648,4675,4800,4801,4802,4803 `
-logName Security `
-after (Get-Date $inStartDate) `
-before (Get-Date $inEndDate).addDays(1) `
-message ("*" + $InUserID + "*") `
-computerName $inPCID
I think there are several questions that I have not yet been able to clarify in my research. Why does Get-EventLog have to make so many connections? Is it due to the connection continuing to fall or something else?
What will be the fastest way to get this data. Using my own command Get-EventLog, specifying -ComputerNameor should I use something like Enter-PSSessionor Invoke-Command.
Enter-PSSession Invoke-Command Get-EventLog?
Enter-PSSession Invoke-Command , , .