Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Event log monitoring using Powershell

Hi I have created a powershell script to monitor event logs for account lock out or account disable, but alert is not generated , can anyone please help me tgom correct my powershell script as in am using powershell script monitor to monitor the logs.

$LogName = "Security"
$EventIDs = @(4740, 4725) # 4740: lockout, 4725: disable
$Minutes = 15
$TimeFrame = (Get-Date).AddMinutes(-$Minutes)

Define target service accounts (case-insensitive)

$TargetAccounts = @("svc_solarwinds")

Get matching events

$Events = Get-WinEvent -FilterHashtable @{
LogName = $LogName
Id = $EventIDs
StartTime = $TimeFrame
} -ErrorAction SilentlyContinue

$MatchCount = 0

if ($Events -and $Events.Count -gt 0) {
foreach ($ev in $Events) {
$eventID = $ev.Id
$timeCreated = $ev.TimeCreated
$message = $ev.Message

    # Extract account name using regex

    $AccountMatch = $message -match "Account Name:\s+([^\s]+)"

    $AccountName = if ($AccountMatch) { $Matches[1] } else { "UNKNOWN" }


    # Check if account matches target list

    if ($TargetAccounts -contains $AccountName.ToLower()) {

        $MatchCount++

        Write-Output "Message:  '$AccountName' at $($ev.TimeCreated) with message $($ev.Message)"

        Write-Output "Statistic :1"


    }

}

}

if ($MatchCount -eq 0) {
Write-Output "Message : No service account lockout/disable events found in last $Minutes minutes."
Write-Output "Statistic :0"
}

Find more posts tagged with

Accepted answers

All comments

Lofstrand

Ok, first - do you get 0 or 1 in the component when you have set up the monitoring?

If that works, then you create an alert rule to trigger when the value is wrong

shivkba

component always shows 0 while i see some lockout alert which we monitor through using windows event log monitoring, we are implementing the powershell script solution as with event log monitoring most of the application shows in unknown state.

Lofstrand

OK, normal event log monitoring should work also.

But make sure the script outputs a 1 when it finds an log post you look for. If you can make that happen you can then create an alert for that.

SteveK

I would recommend using a standard event log monitor for something like this, instead of powershell. Any reason you went with powershell?

But it looks like your script is hardcoded with $MatchCount = 0. Where that should be something like:

$MatchCount = ($Events | Measure-Object).count

Then you should add your branching logic at the bottom. I just threw random stuff down there for the else, so please update that to whatever.:

if ($MatchCount -eq 0) {

Write-Host "Message : No service account lockout/disable events found in last $Minutes minutes."

Write-Host "Statistic: 0"

} Else {

Write-Host "Message: Place message here"

Write-Host "Statistic: $($Events | Measure-Object).count"

}

shivkba

Actually when I use normal event log monitoring it goes in unknown state as job is cancelled out regularly which number of events are very high that's why I go for powershell script to monitor event logs