Curated Examples
Watch logon events
Use PSEventViewer to watch selected Security log events.
This pattern is useful during a short troubleshooting window where new logon success or failure events matter.
It comes from the source example at Modules/PSEventViewer/Examples/Example.WatchBasic.ps1.
When to use this pattern
- You need to observe new events instead of querying old ones.
- You are watching a known machine and log.
- The action should run only for a bounded period.
Example
Import-Module PSEventViewer
$action = {
param($Event)
Write-Host "Found event $($Event.Id) on $($Event.Computer)"
}
$watcher = Start-EVXWatcher -Name 'BasicWatcher' -MachineName $env:COMPUTERNAME -LogName 'Security' -EventId 4624, 4625 -Action $action
Start-Sleep -Seconds 30
Get-EVXWatcher -Id $watcher.Id | Format-List
Stop-EVXWatcher -Id $watcher.Id
What this demonstrates
- starting a watcher for selected event IDs
- handling new events with a script block
- stopping the watcher after a short window