| external help file | krbtgtRotate-help.xml |
|---|---|
| online version | |
| schema | 2.0.0 |
Writes a structured event to the Windows Event Log during krbtgt password rotation.
Write-KrbtgtEventLog [[-LogName] <String>] [[-SourceName] <String>] [[-ComputerName] <String>]
[-Message] <String[]> [-Category] <String> [-MessageType] <String>
Write-KrbtgtEventLog writes a Windows Event Log entry using a structured EventID and Category scheme derived from the rotation phase and message severity. The EventID is computed as the sum of the MessageType base value and the Category byte-sum value, allowing log consumers to filter by both rotation phase and severity simultaneously.
MessageType base values: Information=256, Warning=512, Error=1024, SuccessAudit=2048, FailureAudit=4096
Category byte-sum values (ASCII byte sum of the category string):
- krbtgt = 654
- online = 645
- sync = 445
- krbtgtsinglereset = 1843
Example: an Information event for the krbtgt category has EventID 910 (256 + 654).
Called internally by Invoke-KrbtgtPasswordRotate at each significant step of the rotation process. Can also be used standalone to write custom audit events to the same structured log.
PS > Write-KrbtgtEventLog -Message "krbtgt password rotation started" `
-Category "krbtgt" -MessageType "Information"
##Results
Writes an Information event to the 'Directory Service' log using the default source name 'krbtgtRotation' on the local computer. EventID = 910 (Information 256 + krbtgt 654).
PS > Write-KrbtgtEventLog -Message "Sync failed for DC01.contoso.com" `
-Category "sync" -MessageType "Warning" `
-LogName "Directory Service" -SourceName "krbtgtRotation" `
-ComputerName "DC01.contoso.com"
##Results
Writes a Warning event to a remote computer's event log. EventID = 957 (Warning 512 + sync 445). Use this to record per-DC sync failures during a rotation.
Specifies the name of the log to be written.
Type: String
Parameter Sets: (All)
Aliases: Name, Log
Required: False
Position: 1
Default value: Directory Service
Accept pipeline input: True (ByValue)
Accept wildcard characters: FalseSpecifies the source of the content (for the event log).
Type: String
Parameter Sets: (All)
Aliases: Source
Required: False
Position: 2
Default value: KrbtgtRotation
Accept pipeline input: True (ByValue)
Accept wildcard characters: FalseSpecifies the computer where the event log will be written.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: $env:ComputerName
Accept pipeline input: True (ByValue)
Accept wildcard characters: FalseSpecifies the content of the message in the event log.
Type: String[]
Parameter Sets: (All)
Aliases: Content
Required: True
Position: 4
Default value:
Accept pipeline input: True (ByValue)
Accept wildcard characters: FalseSpecifies the category of the message.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 5
Default value:
Accept pipeline input: True (ByValue)
Accept wildcard characters: FalseSpecifies the event type.
Type: String
Parameter Sets: (All)
Aliases: Type
Required: True
Position: 6
Default value:
Accept pipeline input: True (ByValue)
Accept wildcard characters: False- proper help (started)
- rework of several pieces, bumping to v0.2.0 for module
- moved logic of category, message type, eventID to be inside function (vs. acting as low value proxy for write-eventLog)
- rework value calc for category and eventID, less artisanal, more consistent
- initial creation
- pulling functionality out of previously globbed together bits...