MSP Programs & Scripts Code
Programs and PowerShell Scripts for MSP/RMM Admins
Brought to you by:
theitguys
Menu
▾
▴
Tree [55dae9] master / util-eventLog / event-log-get-all / History
| File | Date | Author | Commit |
|---|---|---|---|
| Get-TaskSchedulerLog-output.txt | 2019-05-29 |
theitguys
|
[00796e] setting up new repo |
| Get-TaskSchedulerLog.ps1 | 2019-06-18 |
Pat Trainor
|
[1cf5db] added Get-QUserInfo.ps1 for module to see user ... |
| ReadMe.txt | 2019-05-29 |
theitguys
|
[00796e] setting up new repo |
Read Me
# # ReadMe for getting ALL event logs that Ninja can't # I was asked on the unofficial ninja slack channel about how to grab events from TaskScheduler. Once done, it becomes easy to do things in parsing, triggering a signalling Event ID as per this post, or even more detailed analysis as described here. Ninja can't natively read these logs, and seems to be restricted to just those logs seen with: PS C:\Windows\system32> Get-EventLog -List Max(K) Retain OverflowAction Entries Log ------ ------ -------------- ------- --- 20,480 0 OverwriteAsNeeded 2,675 Application 512 7 OverwriteOlder 2,694 DOM2PLD 20,480 0 OverwriteAsNeeded 0 HardwareEvents 512 7 OverwriteOlder 0 Internet Explorer 20,480 0 OverwriteAsNeeded 0 Key Management Service 8,192 0 OverwriteAsNeeded 0 Media Center 512 7 OverwriteOlder 9 NinjaRMM Log 20,480 0 OverwriteAsNeeded 11,804 Security 20,480 0 OverwriteAsNeeded 14,320 System 15,360 0 OverwriteAsNeeded 425 Windows PowerShell That's it! Makes sense, as I'm sure they only use the Get-EventLog or equivelent command. But to dig into those other juicy logs and get around Ninja's limitation so you can start grabbing enough data to do some really useful stuff (especially for reports), you need to use a different way. Luckily, PS is still your friend! Help Get-WinEvent --- This way of getting around Ninja's limitation works with all windows logs, as the agent runs scripts as SYSTEM (if you wisely ask it to). Curious about which logs you can get this way? Well, you can get to the ones Ninja can see this way as well! Just do a: Get-WinEvent -ListLog '*' LogMode MaximumSizeInBytes RecordCount LogName ------- ------------------ ----------- ------- Circular 20971520 2675 Application Circular 1052672 2694 DOM2PLD Circular 20971520 0 HardwareEvents Circular 1052672 0 Internet Explorer Circular 20971520 0 Key Management Service Circular 8388608 0 Media Center Circular 1052672 9 NinjaRMM Log Circular 20971520 11804 Security Circular 20971520 14320 System Circular 15728640 425 Windows PowerShell Circular 20971520 0 ForwardedEvents Circular 1052672 0 Microsoft-Windows-API-Tracing/Operational Circular 1052672 0 Microsoft-Windows-AppID/Operational Circular 1052672 0 Microsoft-Windows-Application Server-Applications/Admin Circular 1052672 0 Microsoft-Windows-Application Server-Applications/Operational Circular 1052672 0 Microsoft-Windows-Application-Experience/Problem-Steps-Recorder Circular 1052672 2 Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant Circular 1052672 0 Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter Circular 1052672 70 Microsoft-Windows-Application-Experience/Program-Inventory [...] I'd love to hear about how you have used this method to get to more system logs, and whether you are able to create a "stream" of events by periodically grabbing the events and keeping track of what to ignore (dupes) with a high water mark! -pat :) Catch us on Slack here: https://join.slack.com/t/ninjarmm-colab/shared_invite/enQtNDczNDQxMTE1MTM3LWY3ZjYwMTFhYzE0NjE3M2YzMDkxNGNhOTVjNzFkMjk1MGZmZjQzM2RiN2JjYWE2ZjVmNjg4MTQ3ZTJmMzVlODU
