Korišćenje PoSh je prilično slično sa Linux CLI-om, pa se nadam da će mi dobro ići 😉
Windows PowerShell is an evolution of the command line – a combination of a DOS shell and scripting environment.
PowerShell is based on Microsoft’s .NET framework
PoSh koristi pipe (|) na isti način kao i Linux CLI, za prosleđivanje rezultata jedne komande kao ulaz u drugu komandu.
Scripts are text files that contain sequences of calls to cmdlets, and these files have the extension .ps1. BUT Windows is not configured to allow the execution of unsigned scripts because they can be used to damage the system, so that may be a problem.
Skripta se pokreće tako što se ispred njenog imena stavi :
PS D:\PoSh-skripte> .\test1.ps1

Kako gledati event logs preko PoSh
UVEK OTVORITI PoSh KAO ADMINISTRATOR!!! (inače se pored ostalog ne vide security logovi)
1. This command gets the event logs on the local computer :
PS C:\> get-eventlog -list
Max(K) Retain OverflowAction Entries Log
—— —— ————– ——- —
20,480 0 OverwriteAsNeeded 31,160 Application
20,480 0 OverwriteAsNeeded 0 HardwareEvents
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
8,192 0 OverwriteAsNeeded 0 Media Center
128 0 OverwriteAsNeeded 892 OAlerts
512 7 OverwriteOlder 0 Operations Manager
512 7 OverwriteOlder 0 PreEmptive
…4,240 0 OverwriteAsNeeded 485,748 Security
8,192 0 OverwriteAsNeeded 4,316 Symantec Endpoint Protection Client
20,480 0 OverwriteAsNeeded 57,358 System
15,360 0 OverwriteAsNeeded 323 Windows PowerShell
2. This command gets the five most recent entries from the Security event log :
PS C:\> Get-EventLog -newest 5 security
Index Time EntryType Source InstanceID Message
—– —- ——— —— ———- ——-
757652 Mar 01 14:27 SuccessA… Microsoft-Windows… 4648 A logon was attempted using explicit credentials….
757651 Mar 01 14:11 SuccessA… Microsoft-Windows… 4648 A logon was attempted using explicit credentials….
757650 Mar 01 13:11 SuccessA… Microsoft-Windows… 4634 An account was logged off….
757649 Mar 01 13:11 SuccessA… Microsoft-Windows… 4624 An account was successfully logged on….
757648 Mar 01 13:11 SuccessA… Microsoft-Windows… 4672 Special privileges assigned to new logon….
3. Kako videti jedan specifičan upis u log, u čitljivom formatu :
PS C:\> Get-EventLog -logname security -InstanceID 4672 -index 757648|format-list -property *
EventID : 4672
MachineName : ime-moje-mašine
Data : {}
Index : 757648
Category : (12548)
…..

Dobar link sa primerima.