Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding PowerShell & .ps1 Powershell - Tail Windows Event Log? Is it possible?

Thread Rating:
  • 276 Vote(s) - 3.6 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
Powershell - Tail Windows Event Log? Is it possible?

Offline wakif185608


Luxury
*****
Luxury
Posts: 0
Threads: 0
Joined: Mar 2019
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#1
07-21-2023, 08:03 PM
How can i use powershell to tail a specific windows event log?
Is it possible?
Reply

Offline nectriaceous325650


Member
*
Member
Posts: 0
Threads: 0
Joined: Feb 2022
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
07-21-2023, 08:12 PM
I've done this on occasion:

$idx = (get-eventlog -LogName System -Newest 1).Index

while ($true)
{
start-sleep -Seconds 1
$idx2 = (Get-EventLog -LogName System -newest 1).index
get-eventlog -logname system -newest ($idx2 - $idx) | sort index
$idx = $idx2
}

Reply

Offline erbium726312


Member
*
Member
Posts: 0
Threads: 0
Joined: Jun 2021
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#3
07-21-2023, 08:39 PM
Per MSDN docs:

> `Get-WinEvent` is designed to replace the `Get-EventLog` cmdlet on
> computers running Windows Vista and later versions of Windows.
> `Get-EventLog` gets events only in classic event logs. `Get-EventLog` is
> retained in Windows PowerShell for backward compatibility.

And spurred on by my own need to tail a *non*-classic event log (would that be an *event log nouveau* perchance?) here is the wonderfully concise code of @mjolinor repurposed to use `Get-WinEvent`:

Set-PSDebug -Strict
function Get-WinEventTail($LogName, $ShowExisting=10) {
if ($ShowExisting -gt 0) {
$data = Get-WinEvent -provider $LogName -max $ShowExisting
$data | sort RecordId
$idx = $data[0].RecordId
}
else {
$idx = (Get-WinEvent -provider $LogName -max 1).RecordId
}

while ($true)
{
start-sleep -Seconds 1
$idx2 = (Get-WinEvent -provider $LogName -max 1).RecordId
if ($idx2 -gt $idx) {
Get-WinEvent -provider $LogName -max ($idx2 - $idx) | sort RecordId
}
$idx = $idx2

# Any key to terminate; does NOT work in PowerShell ISE!
if ($Host.UI.RawUI.KeyAvailable) { return; }
}
}

I added in a few bells and whistles for convenience:

* By default it shows the last 10 lines of the log initially, then concatenates new entries as they occur--you can adjust that to any number via the `ShowExisting` parameter.
* It sorts records with oldest first (contrary to `Get-WinEvent`'s default) due to the natural order that tail requires.
* You can press any key to terminate (but not in PowerShellISE).

Reply

Offline publishing787


Member
*
Member
Posts: 0
Threads: 0
Joined: Oct 2018
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#4
07-21-2023, 09:07 PM
First, thank you Michael!

Slight refinement for my use case that includes showing the entire multi-line message value.

function Get-WinEventTail($Provider="JobRequestQueueConsumerBackgroundService", $ShowExisting=10) {
$formatProperty = @{ expression={$_.TimeCreated}; label="TimeCreated"},
@{ expression={$_.Message}; label="Message"; width=100}
if ($ShowExisting -gt 0) {
$data = Get-WinEvent -ProviderName $Provider -max $ShowExisting
if ($data) {
$data | sort RecordId | Format-Table -Property $formatProperty -Wrap
$idx = $data[0].RecordId
}
}
else {
$idx = (Get-WinEvent -ProviderName $Provider -max 1).RecordId
}

while ($true)
{
start-sleep -Seconds 1
$idx2 = (Get-WinEvent -ProviderName $Provider -max 1).RecordId
if ($idx2 -gt $idx) {
Get-WinEvent -ProviderName $Provider -max ($idx2 - $idx) | sort RecordId | Format-Table -Property $formatProperty -Wrap
}
$idx = $idx2

# Any key to terminate; does NOT work in PowerShell ISE!
if ($Host.UI.RawUI.KeyAvailable) { return; }
}
}

Get-WinEventTail


The `-Wrap` option was necessary to show a multi-line message, otherwise ellipsis would truncate the message at the end of the first line. Setting the column width did NOT help.
Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through