Query-EventLog.ps1

1. $computer = "."     # A period indicates the local machine, the default.
2.  
3. $query = "SELECT * FROM Win32_NTLogEvent WHERE logfile = 'Security' AND EventCode = '529' OR EventCode = '4625'"       # Bad username/password.
4. $query = "SELECT * FROM Win32_NTLogEvent WHERE logfile = 'Security' AND EventCode = '644'"       # Account lockout.
5. $query = "SELECT * FROM Win32_NTLogEvent WHERE logfile = 'Security' AND EventCode = '624'"       # User account created.
6. $query = "SELECT * FROM Win32_NTLogEvent WHERE logfile = 'Security' AND EventCode = '627'"       # Password change attempted.
7. $query = "SELECT * FROM Win32_NTLogEvent WHERE logfile = 'Security' AND EventCode = '628'"       # Password change successful.
8. $query = "SELECT * FROM Win32_NTLogEvent WHERE logfile = 'Security' AND EventCode = '629'"       # User account disabled.
9. $query = "SELECT * FROM Win32_NTLogEvent WHERE logfile = 'Security' AND EventCode = '517'"       # Security log cleared.
10. $query = "SELECT * FROM Win32_NTLogEvent WHERE logfile = 'Security' AND Type = 'audit failure'"  # Security log failed events.
11. $query = "SELECT * FROM Win32_NTLogEvent WHERE logfile = 'System' AND Type = 'Error'"            # System log errors.
12. $query = "SELECT * FROM Win32_NTLogEvent WHERE logfile = 'System' AND EventCode = '6008'"        # System log unexpected shutdowns.
13.  
14. get-wmiobject -query $query -computername $computer |
15. select-object RecordNumber,TimeGenerated,ComputerName,LogFile,User,SourceName,EventCode,Type,Message