Trouble with powershell command in script

HTS_Dave · February 14, 2020, 7:17pm

Hi, trying to modify the “To Display 10 Most Recent Application Errors Logs from Event Viewer” script.

I am using powershell command Get-Winevent with an XML filter and it errors out on me. How do I format this? Here is the offending line:

ps_command={r'Get-WinEvent -FilterXml '<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[(Level=1  or Level=2 or Level=3)]]</Select><Select Path="System">*[System[(Level=1  or Level=2 or Level=3)]]</Select></Query></QueryList>' |Where-Object { $_.TimeCreated -ge (Get-Date).AddMinutes(-15) }'}

Jimmy · February 17, 2020, 2:26pm

@HTS_Dave ,

Apologies for the late response. Please try this modified procedure from our Scripts Team and provide us your feedback at your convenience.

20200217-Run_powershell_command_with_xml_filter.json (2.54 KB)

HTS_Dave · February 24, 2020, 7:21pm

No problem on late response, working on this in spare time. This does work for us.

We’re trying to figure out how to run this in response to an event log alert being triggered, and have it email the results. No luck so far as I don’t have the option to email remediation script results, which would be really handy for other stuff as well.

We’ll probably end up trying to get the individual event log monitors set up as specific Event ID queries using this script. My concern is that it will have a system performance hit due to the agent hitting the system with this query for dozens of individual event ID’s every 15-30 minutes. The problem is the event log monitors themselves force you to log in and find the associated events. This script at least lets us bring the event descriptions into Comodo to review, but our preferred method which we have used on other RMMs is to email the results where we can easily view and sort.

PremJkumar · February 25, 2020, 11:01am

Hi @HTS_Dave,

We have forwarded your feedback to our script developers. We will provide you update regarding this once we get from our team.

Kind Regards,
PremJK

PremJkumar · February 25, 2020, 12:09pm

Hi @HTS_Dave,

Our script developers had modified the script. please check this and let us know your feedback

Kind Regards,
PremJK

20200225-Run_powershell_command_with_xml_filter.json (5.69 KB)

InfoSecAdmin · April 1, 2021, 1:32pm

is the payload in base64? couldn’t decode it in cyberchef

PremJkumar · April 1, 2021, 3:59pm

Hi @InfoSecAdmin,

Please check this wiki guide to import the JSON file
https://wiki.itarian.com/frontend/web/topic/how-to-configure-and-run-procedures-on-managed-devices

Kind Regards,
PremJK