Skip to content

This PowerShell Module, which started as an event library (Get-EventsLibrary.ps1), has now grown up and became full fledged PowerShell Module. This module has multiple functionalities but one of the signature features of this module is ability to parse Security (mostly) logs on Domain Controllers.

Notifications You must be signed in to change notification settings

MalkeshDalia/PSWinReporting

 
 

Repository files navigation

PowerShellGallery Version

PowerShellGallery Platform PowerShellGallery Preview Version

Top Language Code PowerShellGallery Downloads

PSWinReporting

PSWinReporting is a little PowerShell module that solves problem of monitoring and reading Windows Events. It allows you to set up monitoring of Domain Controllers (and from 2.X any other servers) for events that happen on them. By default it comes with built-in Active Directory events supports, but since 2.0 you can configure it to monitor basically anything. You can set up reporting on any types of events and have emails delivered with summary of hourly, daily, weekly, monthly or quarterly changes. It also supports sending notifications to Microsoft Teams, Slack, and Discord. Make sure to go thru related articles as they have all the KNOW HOW which is quite useful if you want to get everything from this module.

Full project description is available at my website - Full project description.

Currently there are 2 branches of of PSWinReporting

  • Legacy branch - available in PS Gallery as PSWinReporting - Install-Module -Name 'PSWinReporting' -Force
  • Master branch - available in PS Gallery as PSWinReportingV2 - Install-Module -Name 'PSWinReportingV2' -Force

I've decided that both PowerShell modules can coexist together, especially foor scenarios for people who want to switch, but don't want to do it right away. This way you can keep using old version as is, and slowly fix your other stuff, or use new Find-Events command. Commands are slightly renamed for V2 release.

PSWinReportingV2 - Master Edition

Master edition is complete rewrite and a new begining. It provides same functionality as Legacy 1.X version and then some more.

  • Ability to translate report and have it suite your needs
  • Ability to completly modify events monitoring
  • Ability to monitor any servers, for any events using simple to use schema
  • Ability to target multiple servers, computers or files at the same time

At this moment there is no documentation for PSWinReportingV2 except for those articles below. Feel free to explore Examples if you're eager to try new version. Otherwise fallback to PSWinReporting Legacy Edition.

Built-in Active Directory Reports

PSWinReporting comes with predefined, built-in reports. They are used for Find-Events. Those also come defined in example configuration script which you can use straight away after verifying everything is as per your requirement.

  • ComputerChangesDetailed
  • ComputerCreatedChanged
  • ComputerDeleted
  • EventsReboots - least prepared report. Not really useful at this moment.
  • GroupChanges
  • GroupChangesDetailed
  • GroupCreateDelete
  • GroupEnumeration
  • GroupMembershipChanges
  • GroupPolicyChanges
  • LogsClearedOther
  • LogsClearedSecurity
  • UserChanges
  • UserChangesDetailed
  • UserLockouts
  • UserLogon
  • UserLogonKerberos
  • UserStatus
  • UserUnlocked

Built-in Reporting Times

PSWinReporting comes with predefined report times. This means you can simply use True/False to enable/disable report or in case of Find-Events simply choose it from a list

  • CurrentDay
  • CurrentDayMinusDayX
  • CurrentDayMinuxDaysX
  • CurrentHour
  • CurrentMonth
  • CurrentQuarter
  • CustomDate
  • Everything
  • Last14days
  • Last3days
  • Last7days
  • OnDay
  • PastDay
  • PastHour
  • PastMonth
  • PastQuarter

PSWinReporting - Legacy Edition

Legacy edition will continue it's life as 1.X.X. If you want to keep on using it, feel free, but it's highely encouraged to use 2.x.x when it's fully functional with all features. Code is available as Legacy Branch. Following links can help understanding how it works and how to set it up:

Following AD Events are supported:

  • Group create, delete, modify (Who / When / What)
  • Group membership changes (Who / When / What)
  • User changes (Who / When / What)
  • User created / deleted (Who / When)
  • User password changes (Who / When)
  • User lockouts (Who / When / Where)
  • Computer Created / Modified (Who / When / Where)
  • Computer Deleted (Who / When / Where)
  • Event Log Backup (Who / When)
  • Event Log Clear (Who / When)

Features:

  • Support for Event Forwarding - monitoring one event log instead of scanning all domain controllers
  • Support for Microsoft Teams - Sending events as they happen to Microsoft Teams (only supported when forwarders are in use)
  • Support for Slack - Sending events as they happen to Slack (only supported when forwarders are in use)
  • Support for Microsoft SQL - Sending events directly to SQL (some people prefer it that way)
  • Support for backing up old archived logs (moves logs from Domain Controllers into chosen place)
  • Support for re-scanning logs from files - a way to recheck your logs for missing information

Example - Script running

image

Example - Email Report

image

Example - Microsoft Teams

image

Example - Slack

image

About

This PowerShell Module, which started as an event library (Get-EventsLibrary.ps1), has now grown up and became full fledged PowerShell Module. This module has multiple functionalities but one of the signature features of this module is ability to parse Security (mostly) logs on Domain Controllers.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 100.0%