Login  | |
|
 |
RE: Win32_NTEventLog - 7/29/2007 10:20:34 PM
|
|
 |
|
| |
SAPIENScripter
Posts: 261
Score: 2
Joined: 11/1/2006
From: SAPIEN Technologies
Status: offline
|
Are you talking about picking an impersonation type or specifying an additional privilege like Backup or Security? What is the task you want to achieve?
_____________________________
Jeffery Hicks
Windows PowerShell MVP
SAPIEN Technologies - Scripting, Simplified. www.SAPIEN.com
|
|
| |
|
|
|
|
RE: Win32_NTEventLog - 7/29/2007 10:39:16 PM
|
|
|
|
| |
SAPIENScripter
Posts: 261
Score: 2
Joined: 11/1/2006
From: SAPIEN Technologies
Status: offline
|
I think this is what you are after. In VBScript you can specify privileges when creating the WMI object:
Set oWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Backup,Security)}!\\" & strComputer & "\root\cimv2")
But you can't do that in PowerShell. Because WMI is type adapted from the .NET classes, you have to call the underlying PSBase object:
[wmi]$applog=gwmi -query "Select * from win32_NTEventLogFile where logfilename='application'"
If you tried to run $applog.BackupEventLog("c:\backups\appback.evt") you'll get an error. You have to enable privileges like this:
$applog.psbase.scope.options.EnablePrivileges=$true
Now you can run the backup method and it will work.
_____________________________
Jeffery Hicks
Windows PowerShell MVP
SAPIEN Technologies - Scripting, Simplified. www.SAPIEN.com
|
|
| |
|
|
|
|
RE: Win32_NTEventLog - 7/30/2007 12:39:27 AM
|
|
|
|
| |
wolfmandragon
Posts: 13
Score: 0
Joined: 7/13/2007
Status: offline
|
What I am trying to do is parse the security EventLog in real-time, cut and forward to a syslog server.
When I insert $applog.psbase.scope.options.EnablePrivileges=$true into my script I get an error message that says .EnablePrivileges property cannot be found.
Here is my original querying segment of the script
Function Get-WmiEvent ($class, $Path = "root\cimv2")
{
$ESCkey = 27
$Qkey = 81
$query = New-Object System.Management.WQlEventQuery "Select * from $CLASS"
$scope = New-Object System.Management.ManagementScope $Path
$watcher = New-Object System.Management.ManagementEventWatcher $scope, $query
$options = New-Object System.Management.EventWatcherOptions
$options.TimeOut = [timespan]"0.0:0:1"
#$watcher.Options = $Options
$watcher.Start()
while ($true) {
trap [System.Management.ManagementException] {continue}
$watcher.WaitForNextEvent()
if ($host.ui.RawUi.KeyAvailable)
{ $key = $host.ui.RawUI.ReadKey("NoEcho,IncludeKeyUp")
if (($key.VirtualKeyCode -eq $ESCkey) -OR ($key.VirtualKeyCode -eq $Qkey))
{ $watcher.Stop()
break
}
}
}
}
Set-Alias gwe Get-WmiEvent
$watch = gwe -class "Win32_ComputerSystemEvent" -ComputerName "pc47142" -Credential administrator -Timeout "0.0:0:1" -Query "Select * from __InstanceCreationEvent WITHIN 1 WHERE targetinstance isa ‘Win32_NTLogEvent' and TargetInstance.logfile = 'security'"
$result = $watch.WaitForNextEvent()
$path = $result.targetinstance.__path
$liveObject = [wmi]$path
I pulled this from the powershell blog page and tried to modify it to work with eventlogs.
Thank you for the code you listed. I am still learning how Windows handle its files (namespace whatever), it is slowly making sense.
_____________________________
The Eyes of the Wolf is the Raven; The Ravens Teeth, the Wolf.
|
|
| |
|
|
|
|
RE: Win32_NTEventLog - 7/30/2007 1:15:11 AM
|
|
|
|
| |
SAPIENScripter
Posts: 261
Score: 2
Joined: 11/1/2006
From: SAPIEN Technologies
Status: offline
|
Ah, that is a horse of a different color as they say in Oz. My previous post is only for using WMI objects. You are working with WMI events. From what I can gather, the issue is passing alternate credentials. You can set alternate credentials by modifiying the scope options. Modify your function so that you pass it a credential object:
Function Get-WmiEvent ($class, $Path = "root\cimv2",$credential)
#your existing code
$scope = New-Object System.Management.ManagementScope $Path
#add this
if ($Credential) {
#use alternate credentials if passed
$scope.options.Username = $credential.GetNetworkCredential().Username
$scope.options.Password = $credential.GetNetworkCredential().Password
}
# the rest of your function
}
_____________________________
Jeffery Hicks
Windows PowerShell MVP
SAPIEN Technologies - Scripting, Simplified. www.SAPIEN.com
|
|
| |
|
|
|
|
RE: Win32_NTEventLog - 8/7/2007 12:14:44 AM
|
|
|
|
| |
wolfmandragon
Posts: 13
Score: 0
Joined: 7/13/2007
Status: offline
|
While building my script I was checking log entries next to wireshark; Vista has a bad bug in the security logs (perhaps app logs as well, but I have not checked them). Vista logs source address as destination address and vice versa. If you go to the event viewer and look at an ErrorCode 5157 or 5152 you will see it.
_____________________________
The Eyes of the Wolf is the Raven; The Ravens Teeth, the Wolf.
|
|
| |
|
|
|
|
RE: Win32_NTEventLog - 8/7/2007 1:39:54 AM
|
|
|
|
| |
SAPIENScripter
Posts: 261
Score: 2
Joined: 11/1/2006
From: SAPIEN Technologies
Status: offline
|
Are you running Powershell ON a Vista box? If so, make sure you run it as Administrator. Otherwise many things that would work fine on XP or 2003 won't work and you'll be wondering why.
_____________________________
Jeffery Hicks
Windows PowerShell MVP
SAPIEN Technologies - Scripting, Simplified. www.SAPIEN.com
|
|
| |
|
|
|
|
RE: Win32_NTEventLog - 8/7/2007 2:06:10 AM
|
|
|
|
| |
wolfmandragon
Posts: 13
Score: 0
Joined: 7/13/2007
Status: offline
|
I do run as Administrator. It's not a Powershell issue, it is a Vista issue. You can go to the Event Viewer snapin and see the error in the source and destination. It also looks like the ports may be reversed as well.
_____________________________
The Eyes of the Wolf is the Raven; The Ravens Teeth, the Wolf.
|
|
| |
|
|
|
|
RE: Win32_NTEventLog - 8/7/2007 2:27:47 AM
|
|
|
|
| |
SAPIENScripter
Posts: 261
Score: 2
Joined: 11/1/2006
From: SAPIEN Technologies
Status: offline
|
That wouldn't surprise me much. I have to say I'm not a big Vista fan and Vista+Powershell can be very painful at times. I don't have those event types in my log on my test Vista box. So if you still have a Vista problem I may not be able to help much more.
_____________________________
Jeffery Hicks
Windows PowerShell MVP
SAPIEN Technologies - Scripting, Simplified. www.SAPIEN.com
|
|
| |
|
|
|
|
RE: Win32_NTEventLog - 8/7/2007 3:14:10 AM
|
|
|
|
| |
wolfmandragon
Posts: 13
Score: 0
Joined: 7/13/2007
Status: offline
|
It isn't a big problem. I am chopping up the message block anyway, so I will just reorder the addresses. I was posting this here as a warning to others that may be working in the security event log.
_____________________________
The Eyes of the Wolf is the Raven; The Ravens Teeth, the Wolf.
|
|
| |
|
|
|
|
|
Printable Version
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread