Get-IpamIpAddressAuditEvent

Get-IpamIpAddressAuditEvent

Gets all IP address audit events in IPAM.

Syntax

Parameter Set: ByClientId
Get-IpamIpAddressAuditEvent -ClientId <String> -EndDate <DateTime> -StartDate <DateTime> [-CimSession <CimSession[]> ] [-CorrelateLogonEvents] [-ThrottleLimit <Int32> ] [ <CommonParameters>] [ <WorkflowParameters>]

Parameter Set: ByHostName
Get-IpamIpAddressAuditEvent -EndDate <DateTime> -HostName <String> -StartDate <DateTime> [-CimSession <CimSession[]> ] [-CorrelateLogonEvents] [-ThrottleLimit <Int32> ] [ <CommonParameters>] [ <WorkflowParameters>]

Parameter Set: ByIpAddress
Get-IpamIpAddressAuditEvent -EndDate <DateTime> -IpAddress <String> -StartDate <DateTime> [-CimSession <CimSession[]> ] [-CorrelateLogonEvents] [-ThrottleLimit <Int32> ] [ <CommonParameters>] [ <WorkflowParameters>]

Parameter Set: ByUserName
Get-IpamIpAddressAuditEvent -EndDate <DateTime> -StartDate <DateTime> -UserName <String[]> [-CimSession <CimSession[]> ] [-ThrottleLimit <Int32> ] [ <CommonParameters>] [ <WorkflowParameters>]




Detailed Description

The Get-IpamIpAddressAuditEvent cmdlet gets all IP address audit events from an IP Address management (IPAM) server over a time interval. IPAM enables IP address tracking through correlation of Dynamic Host Configuration Protocol (DHCP) lease events on managed DHCP servers with user and computer authentication events on managed domain controllers and Network Policy Server (NPS) servers. You can search correlated events by IP address, client ID, hostname, or username. Use DCHP events between a start date and an end date to correlate data. The data returned includes data for both the start date and the end date.

The cmdlet returns only the top 10,000 rows if the query results exceed more than 10,000 rows. The cmdlet will display a warning if this occurs. You can avoid this situation if you narrow the search criteria to limit the results.

Parameters

-CimSession<CimSession[]>

Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.


Aliases

Session

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ClientId<String>

Specifies an array of client IDs. Use this parameter to search for audit events by Media Access Control (MAC) address. You may use dashes (-) in the client ID but they are not required.


Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-CorrelateLogonEvents

Indicates that the cmdlet correlates logon events. Use this parameter to include or exclude user and computer events from domain controllers and NPS servers. If you specify this parameter, logon events are included in the correlated set of events retrieved by this cmdlet.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-EndDate<DateTime>

Specifies the end date, as a DateTime object, for which to get the event data. To get a DateTime object, use the Get-Date cmdlet and specify the date in DD/MM/YYYY format.


Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-HostName<String>

Specifies an array of host names. Use this parameter to search correlated events by host name.


Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-IpAddress<String>

Specifies an IP address. Use this parameter to search correlated events by IPv4 address. The cmdlet does not support IPv6 address tracking.


Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-StartDate<DateTime>

Specifies the start date as a DateTime object. To get a DateTime object, use the Get-Date cmdlet and specify the date in DD/MM/YYYY format.


Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-ThrottleLimit<Int32>

Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer. The throttle limit applies only to the current cmdlet, not to the session or to the computer.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-UserName<String[]>

Specifies an array of user names. Use this parameter to search correlated events by username. Searching by user's domain name is not supported. Logon events are included in this search because user names are not specified in DHCP lease events.


Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

<CommonParameters>

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see    about_CommonParameters.

<WorkflowParameters>

This cmdlet supports the following workflow common parameters: -PSParameterCollection, -PSComputerName, -PSCredential, -PSConnectionRetryCount, -PSConnectionRetryIntervalSec, -PSRunningTimeoutSec, -PSElapsedTimeoutSec, -PSPersist, -PSAuthentication, -PSAuthenticationLevel, -PSApplicationName, -PSPort, -PSUseSSL, -PSConfigurationName, -PSConnectionURI, -PSAllowRedirection, -PSSessionOption, -PSCertificateThumbprint, -PSPrivateMetadata, -AsJob, -JobName, and –InputObject. For more information, see    about_WorkflowCommonParameters.

Inputs

The input type is the type of the objects that you can pipe to the cmdlet.

Outputs

The output type is the type of the objects that the cmdlet emits.

  • IpamIpAuditEvent

    This cmdlet returns an object that represents an IP address audit event in IPAM.


Examples

Example 1: Get all IP address audit events

The first command gets the current date and stores the result in the variable named $Today. The second command subtracts 30 days from the date stored in the $Today variable and stores the result in the variable named $LastMonth. The third command gets all IP address audit events between the date stored in the $LastMonth and the date stored in the $Today variables. The command gets only DHCP lease data. The command stores the results in the variable named $IpamIpAddressAuditEvents.


PS C:\> $Today = Get-Date
PS C:\>$LastMonth = $Today.AddDays(-30)
PS C:\>$IpamIpAddressAuditEvents = Get-IpamIpAuditEvent -StartDate $LastMonth -EndDate $Today

Example 2: Get all IP address audit events for an end date and a start date

The first command gets the current date and stores the result in the variable named $Today. The second command subtracts 30 days from the date stored in the $Today variable and stores the result in the variable named $LastMonth. The third command gets all IP address audit events for the specified IP address, between a start date and an end date and stores the results in the variable named $IpamIpAddressAuditEvents. This command searches only DHCP lease events.


PS C:\> $Today = Get-Date
PS C:\>$LastMonth = $Today.AddDays(-30)
PS C:\>$IpamIpAddressAuditEvents = Get-IpamIpAuditEvent -StartDate $LastMonth -EndDate $Today -IpAddress 10.10.1.1

Example 3: Get all IP address audit events, user events, and logon events for an end date and a start date

The first command gets the current date and stores the result in the variable named $Today. The second command subtracts 30 days from the date stored in the $Today variable and stores the result in the variable named $LastMonth. The third command gets all IP address audit events for the specified IP address, between a start date and an end date. The command includes user and computer logon events from DC and NPS through the CorrelateLogonEvents switch parameter. The command stores the results in the variable named $IpamIpAddressAuditEvents.


PS C:\> $Today = Get-Date
PS C:\>$LastMonth = $Today.AddDays(-30)
PS C:\>$IpamIpAddressAuditEvents = Get-IpamIpAuditEvent -StartDate $lastMonth -EndDate $Today -IpAddress 10.10.1.1 -CorrelateLogonEvents

Example 4: Get all IP address audit events by MAC address

The first command gets the current date and stores the result in the variable named $Today. The second command subtracts 30 days from the date stored in the $Today variable and stores the result in the variable named $LastMonth. The third command gets all IP address audit events for a client ID, between a start date and an end date. The command includes user and computer log-on events from DC and NPS through the CorrelateLogonEvents switch parameter. The command then stores the results in the variable named $IpamIpAddressAuditEvents.


PS C:\> $Today = Get-Date
PS C:\>$LastMonth = $Today.AddDays(-30)
PS C:\>$IpamIpAddressAuditEvents = Get-IpamIpAuditEvent -StartDate $LastMonth -EndDate $Today -ClientId "AA:BB:CC:DD:EE:FF" -CorrelateLogonEvents

Example 5: Get all IP address audit events by hostname

The first command gets the current date and stores the result in the variable named $Today. The second command subtracts 30 days from the date stored in the $Today variable and stores the result in the variable named $LastMonth. The third command gets all IP address audit events for a given hostname, between a start date and an end date. The command also includes user and computer log-on events from DC and NPS through the CorrelateLogonEvents switch parameter. The command stores the results in the variable named $IpamIpAddressAuditEvents.


PS C:\> $Today = Get-Date
PS C:\>$LastMonth = $Today.AddDays(-30)
PS C:\>$IpamIpAddressAuditEvents = Get-IpamIpAuditEvent -StartDate $LastMonth -EndDate $Today -HostName "client1.contoso.com" -CorrelateLogonEvents

Example 6: Get all IP address audit events by username

The first command gets the current date and stores the result in the variable named $Today. The second command subtracts 30 days from the date stored in the $Today variable and stores the result in the variable named $LastMonth. The third command gets all IP address audit events for a username, between a start date and an end date. Since the username is available only from authentication data, this data is always included while querying for audit events based on username. The command stores the results in the variable named $IpamIpAddressAuditEvents.


PS C:\> $Today = Get-Date
PS C:\>$LastMonth = $Today.AddDays(-30)
PS C:\>$IpamIpAddressAuditEvents = Get-IpamIpAuditEvent -StartDate $LastMonth -EndDate $Today -HostName "client1.contoso.com"

Related topics

Community Additions

ADD
Show: