PSWinReporting
PSWinReporting is a little PowerShell module that solves the problem of monitoring and reading Windows Events. It allows you to set up monitoring of Domain Controllers (and from 2.X any other servers) for events that happen on them. By default, it comes with built-in Active Directory events supports, but since 2.0 you can configure it to monitor anything. You can set up reporting on any types of events and have emails delivered with a summary of hourly, daily, weekly, monthly, or quarterly changes. It also supports sending notifications to Microsoft Teams, Slack, and Discord. Make sure to go thru related articles as they have all the KNOW HOW which is quite useful if you want to get everything from this module.
The full project description is available on my website - Full project description.
Currently, there are 2 branches of PSWinReporting.
- [x] Legacy branch - available in PS Gallery as PSWinReporting -
Install-Module -Name 'PSWinReporting' -Force - [x] Master branch - available in PS Gallery as PSWinReportingV2 -
Install-Module -Name 'PSWinReportingV2' -Force
I've decided that both PowerShell modules can coexist together, especially for scenarios for people who want to switch, but don't want to do it right away. This way, you can keep using old version as is, and slowly fix your other stuff, or use new Find-Events command. I've slightly renamed the commands for V2 release.
PSWinReportingV2 - Master Edition
Master edition is a complete rewrite and a new beginning. It provides the same functionality as Legacy 1.X version and then some more.
- [x] Ability to translate report and have it suite your needs
- [x] Ability to completely modify events monitoring
- [x] Ability to monitor any servers, for any events using simple to use schema
- [x] Ability to target multiple servers, computers or files at the same time
At this moment there is no documentation for PSWinReportingV2 except for those articles below. Feel free to explore Examples if you're eager to try the new version — otherwise fallback to PSWinReporting Legacy Edition.
Built-in Active Directory Reports
PSWinReporting comes with predefined, built-in reports. Those are for Find-Events. Those also come defined in example configuration script which you can use straight away after verifying everything is as per your requirement.
- [x] ADComputerChangesDetailed
- [x] ADComputerCreatedChanged
- [x] ADComputerDeleted
- [x] ADGroupChanges
- [x] ADGroupChangesDetailed
- [x] ADGroupCreateDelete
- [x] ADGroupEnumeration
- [x] ADGroupMembershipChanges
- [x] ADGroupPolicyChanges
- [x] ADLogsClearedOther
- [x] ADLogsClearedSecurity
- [x] ADUserChanges
- [x] ADUserChangesDetailed
- [x] ADUserLockouts
- [x] ADUserLogon
- [x] ADUserLogonKerberos
- [x] ADUserStatus
- [x] ADUserUnlocked
- [X] ADOrganizationalUnitChangesDetailed (added in 2.0.10)
- [x] OSStartupShutdownCrash (added in 2.0.12) - covers startup, shutdown and crashes - probably needs some work on the engine later on to allow field merging
- [x] OSCrash (added in 2.0.12) - covers system crashes
- [x] NetworkAccessAuthenticationPolicy (added in 2.0.12) - covers authorizations approved/denied for WIFI and ETHERNET
Built-in Reporting Times
PSWinReporting comes with predefined report times. This means you can use True/False to enable/disable period. In case of Find-Events, you can use defined times (checked only) from DatesRange parameter.
- [ ] CurrentDay
- [ ] CurrentDayMinusDayX
- [ ] CurrentDayMinuxDaysX
- [x] CurrentHour
- [x] CurrentMonth
- [x] CurrentQuarter
- [ ] CustomDate
- [x] Everything
- [x] Last14days
- [x] Last3days
- [x] Last7days
- [ ] OnDay
- [x] PastDay
- [x] PastHour
- [x] PastMonth
- [x] PastQuarter
Of course, you can also define DateFrom, DateTo parameters for custom use when using Find-Events command.
PSWinReporting - Legacy Edition
Legacy edition will continue it's life as 1.X.X. If you want to keep on using it, feel free, but it's highly encouraged to use 2.x.x when it's fully functional with all features. Code is available as Legacy Branch. Following links can help in understanding how it works and how to set it up:
- Review of features coming in 2.0 along with some features description for the current version - Overview of configuration and features.
- Review of new features in PSWinReporting 1.7 - Lots of changes, review required. Microsoft Teams, Slack, SQL and forwarders support
- Review of new features in PSWinReporting 1.0 - Lots of changes, review required.
- Last version of Get-EventsLibrary.ps1 - This is the actual code base for the old version. Just in case…
- Blog post about version 0.8 - Updates from feedback. Last version before the name change.
- Blog post about version 0.7 - Updates from feedback.
- Blog post about version 0.6 - Updates from feedback.
- Blog post about initial version and the differences in monitoring approach
Following AD Events are supported:
- [x] Group create, delete, modify (Who / When / What)
- [x] Group membership changes (Who / When / What)
- [x] User changes (Who / When / What)
- [x] User created / deleted (Who / When)
- [x] User password changes (Who / When)
- [x] User lockouts (Who / When / Where)
- [x] Computer Created / Modified (Who / When / Where)
- [x] Computer Deleted (Who / When / Where)
- [x] Event Log Backup (Who / When)
- [x] Event Log Clear (Who / When)
Features:
- [x] Support for Event Forwarding - monitoring one event log instead of scanning all domain controllers
- [x] Support for Microsoft Teams - Sending events as they happen to Microsoft Teams (only supported when forwarders are in use)
- [x] Support for Slack - Sending events as they happen to Slack (only supported when forwarders are in use)
- [x] Support for Microsoft SQL - Sending events directly to SQL (some people prefer it that way)
- [x] Support for backing up old archived logs (moves logs from Domain Controllers into chosen place)
- [x] Support for re-scanning logs from files - a way to recheck your logs for missing information
Example - Script running
Example - Email Report
Example - Microsoft Teams
Example - Slack
