Monday, May 18, 2015

Custom Event Logs

Creating a new EventLog in powershell

Create the new log: 
New-EventLog -LogName MyEventLogName -Source scripts
See that it exists: 
Get-EventLog -List
Write to it: 
Write-EventLog -LogName MyEventLogName -Source scripts -Message "Dude, it works ... COOL!" -EventId 0 -EntryType information
And then pull the events from the log: 
Get-EventLog -LogName MyEventLogName
Eventlogs created in this manner will show under the "Applications and Services Logs" branch in the Event Viewer (which can be launched with "show-eventlog"). You can use either the GUI, or the "Limit-EventLog" cmdlet to make changes to the size and retention options for the log (shown with get-eventlog -list)

Custom Permissions on Eventlogs

In Windows 2008 the SDDL is set with the "wevtutil" app.
To begin, we need to get the current SDDL string. It's the "ChannelAccess" line in the output of the following command: 
wevtutil gl MyEventLogName
Copy the channelAccess: line into the text editor of your choice:

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) )

Each of the (A;;xxx;;;x-x-x-xx) strings is a SDDL permission, the first "xxx" sets the permission, according to this:
Clear 0x4
Read 0x1
Write 0x2

The second "x-x-x-xx" is a user or group SID. Depending on the SID's source, it may be longer (for instance if it's coming from active directory). There is a list of "well-known" SIDs here. Build a new SDDL permission, and tag it onto the end of the existing string.

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) (A;;0x1;;; S-1-5-3-3127463467463))

Finally, we need to apply the new SDDL. Paste your modified SDDL String (complete with the O:BAG:SYD on the front) after the /ca: 
wevtutil sl MyEventLogName /ca:
Attempting to set the SDDL from powershell will cause a mess of syntax errors, due to the powershell interpreter trying to parse the SDDL string. This may be avoidable with single-quotes, but I just ran "cmd", re-ran the command, and then ran "exit" to return to powershell.
Now with a new eventlog with custom permissions, you can use write-eventlog to write output from your powershell scripts.

Sources:
Jane Lewis Blog
Hey Scripting Guy Blog
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)