0

I am trying to track the occurrence of specified Security events. In order to accomplish this, I want a message to be displayed whenever these events are logged in the Windows Security log. Because displaying a message is a deprecated feature in Task Scheduler, I am using Powershell commands to accomplish this like so:

Trigger

On event - Log: Security, Source: Microsoft-Windows-Eventlog, EventID: 1102

Action

-executionpolicy bypass -windowstyle hidden -file C:\1102.ps1

1102.ps1

Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq 1102 } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), 'Event ID: 1102')

Event ID 1102 occurs whenever the audit log is cleared. To trigger this, I simply go into Event Viewer, right click on the Security log, and click 'Clear Log...'. Shortly afterwards, a message displays as intended.

However, when I try to trigger Event ID 4719 by changing the system audit policy, no message displays despite the event being logged in the Security log. Both triggers are set up similarly in Task Scheduler so it's unclear to me why this is working for one and not the other.

Improve this question

2 Answers 2

Reset to default
0

Don't us TaskSceduler for this. Use a permanent WmiEvent consumer / watcher. Use RegEx or to go after multiple events.

Example:

Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq '1102|4719' } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), "Event ID: $($_.Id)")

This has been possible for multiple languages, so not a PS specific thing, but of course PS can be used for it.

Examples:

Powershell Centralized Log Monitor Monitors a collection of servers for specified log events, and sends email alerts when it encouters the monitored events. https://gallery.technet.microsoft.com/scriptcenter/ed188912-1a20-4be9-ae4f-8ac46cf2aae4

https://learn-powershell.net/2013/08/02/powershell-and-events-wmi-temporary-event-subscriptions

http://irl33t.com/blog/2011/06/powershell-script-watch-eventlogs-ps1

https://www.codeguru.com/vb/vbnet30/article.php/c13315/How-to-Build-a-Simple-Event-Log-MontiorWatcher-Using-TCP-in-NET.htm

https://www.codeproject.com/Articles/4857/%2fArticles%2f4857%2fA-realtime-event-log-monitoring-tool

https://www.ravichaganti.com/blog/attaching-scripts-or-tasks-to-windows-event-log-entries-using-powershell-and-wmi

Improve this answer
1
  • Using Task Scheduler still to see what would happen with my current implementation, I modified the script as you suggested but doing so only prints "Event ID: " in the message's title bar. As for your suggestion to use a WmiEvent consumer / watcher, that is something I know nothing about. I'll see if I can figure it out with the links you've provided.
    – SoraPro
    Commented Dec 19, 2018 at 19:00
0

Finally figured this one out...it turns out the Source for 4719 is Microsoft-Windows-Security-Auditing and not Microsoft-Windows-Eventlog.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .