Exporting event logs with Windows PowerShell

Do you need to automate error reporting based on recent events and don’t want to use third-party tools? This article describes how to collect events from different sources and unite them in one document using standard Windows instruments only. Recently I described how to export events into Excel format using our Event Log Explorer software. However, in some cases, using third-party software can be impossible.… Read More »

Case study – generating regular reports about the problems in your Windows network

Recently one of our clients asked us about the best way to organize a passive monitoring of their servers. The client told us that they don’t need to monitor the servers actively, but they want to have weekly reports about the problems. They tried to gather events using Windows PowerShell and export them to CSV format (to view events in Excel), but finally they gave… Read More »

Troubleshooting knowledge base

Some of us have dealt with the frustration of dealing with a problem we know we’ve experienced before, but didn’t register it properly. The outcome? We do it all over again, and basically, waste time and past effort. A good record of an analysis and key events can save a lot of time. Most of the internal knowledge bases used by companies, small and large,… Read More »

Forensics and Benford’s Law

As a producer of digital forensic software, we are regularly learning more about forensic methods and tasks. Recently I came across a curious article (and video) in Business Insider called “How forensic accountants use Benford’s Law to detect fraud” The video states that forensic guys can use Benford’s Law to analyze financial data and identify red flags. This sounds interesting because it is too easy to… Read More »

Troubleshooting philosophy – Windows event log error analysis

There are different circumstances that lead to an event log analysis. One of the most common is the reactive Windows error log search, “reactive” because it is done in reaction to a problem, “error log” because what we are looking for error events that will help us identify the origin of the problem. When searching the error log entries (error events in Application and System logs), it… Read More »

Once again about custom columns – extracting details from Application or System event logs

In my article “Exploring who logged on the system“, I described how to add to the event list custom columns that display data from the event description. Probably you might think that adding custom columns works for Security event logs only. Although we initially designed Custom columns feature exactly for Security logs (and referred them by name, e.g. Subject\Account name), we made it possible to use… Read More »

Advanced filtering. How to filter events by event description

A key instrument for event logs analysis is the function of event filtering. All known event log analysis tools have filtering feature, and I suppose, it is the most demanded feature of these applications. Setting filter for the most of event fields is easy. As a rule, all the event log applications let you filter by timeframe, event level, source, event IDs, users or computers… Read More »

Logon type – what does it mean?

In my previous post, I explained how to display logon type for logon events in Security log and described meaning of some values. Here I will give you more information about logon types. The descriptions of some events (4624, 4625) in Security log commonly contain some information about “logon type”, but it is too brief: The logon type field indicates the kind of logon that occurred.… Read More »

Exploring who logged on the system

One of the most important tasks in the security event log analysis is to find out who or what logs your system on. Here I will explain how Event Log Explorer helps you to solve this task. First, you need to make sure that Windows security auditing is enabled for logon events. You can do this using Local Security Policy or Group Policy, depending on… Read More »