Solved

Powershell command to extract security log events

Posted on 2011-09-28
2
1,142 Views
Last Modified: 2012-05-12
I'm trying to write a powershell script that will extract info from the security logs of event type 4728 and 4729. The script is ok, but the message field includes the entire message field.
What I am interested are just these parts: the heading, subject account name, member account name, group name.
So, it would look like this:
A member was added to a security-enabled global group.
Account Name:      Admin.
Account Name:      CN=username,OU=Users,DC=domain,DC=com
Group Name: Administrators
 
Any help appreciated.


Get-EventLog "Security"| Where-Object {$_.EventID -eq 4728 -or $_.EventID -eq 4729} | Select TimeGenerated, message | export-csv c:\test.csv

Open in new window

0
Comment
Question by:sherryfitzgroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 16

Accepted Solution

by:
Dale Harris earned 250 total points
ID: 36717686
I haven't got the working script for this yet, but your starting point is using Select-String.

So output all of your info to a text file in a big block of info.  Then go through and do a Select String on your exported events that you care about.

Here's how you it would look once you had the text file in one big block:

get-content "BigFile.txt" | Select-string "Account","Group Name"

This would output every single Account line and Group Name line.

HTH,

Dale Harris
0
 
LVL 18

Assisted Solution

by:x-men
x-men earned 100 total points
ID: 36717690
you'll have to "work" the .substring()
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief introduction to what I consider to be the best editor for PowerShell.
Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question