A PowerShell module that provides some additional functions to enhance PowerShell Eventing in relation to Windows Event Log events. Subscriptions can be made and actions taken when new events are written to a log. In a sense, this can be used as "poor
mans" auditing system.
These functions can be used in combination with the Windows Event Forwarding (http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx
and the ForwardedEvents Log to basically create a working auditing system. Once you have a working Windows Event Collector Server established. These functions can monitor incoming events and run whatever action you need to occur.
- Write information to the host about the new events
- Write the events to a log file
- Email alerts
- Export the Event XML data into SQL for long term storage
- Just about any other action you would like to occur...
Some of this can be accomplished with WMI Events, but unfortunately the ForwardedEvents Log is not available as a WMI trigger. Also, the Functions provide a bookmarking feature to resume monitoring from where it left off on the last run. This means that a script
can be built and set as a scheduled task to essentially run as an "agent" that will always process the given Event Log up to the current Event.
This module is inteded for, and has only been tested on Windows PowerShell 2.0 running on Windows 7 / Windows 2008 or greater.
Installing the Module
Documentation & Examples
- Download the latest release ZIP
- Extract the folder, and store in your user PowerShell Modules folder (typically %userprofile%\Documents\WindowsPowerShell\Modules)
- From the PowerShell console type: Import-Module EventLogWatcher
Detailed examples and usage scenarios can be found under
This module is provided "as-is" without any warranty. Support and updates will be provided as time allows. However, I would always be interested in anyone looking to help with the project, and enhance or improve overall functionality.
Thank you to all of you that helped in the Microsoft forums along the way with syntax questions that unknowingly ultimately helped to create this!