Solved

Powershell command to extract security log events

Posted on 2011-09-28
2
1,145 Views
Last Modified: 2012-05-12
I'm trying to write a powershell script that will extract info from the security logs of event type 4728 and 4729. The script is ok, but the message field includes the entire message field.
What I am interested are just these parts: the heading, subject account name, member account name, group name.
So, it would look like this:
A member was added to a security-enabled global group.
Account Name:      Admin.
Account Name:      CN=username,OU=Users,DC=domain,DC=com
Group Name: Administrators
 
Any help appreciated.


Get-EventLog "Security"| Where-Object {$_.EventID -eq 4728 -or $_.EventID -eq 4729} | Select TimeGenerated, message | export-csv c:\test.csv

Open in new window

0
Comment
Question by:sherryfitzgroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 16

Accepted Solution

by:
Dale Harris earned 250 total points
ID: 36717686
I haven't got the working script for this yet, but your starting point is using Select-String.

So output all of your info to a text file in a big block of info.  Then go through and do a Select String on your exported events that you care about.

Here's how you it would look once you had the text file in one big block:

get-content "BigFile.txt" | Select-string "Account","Group Name"

This would output every single Account line and Group Name line.

HTH,

Dale Harris
0
 
LVL 18

Assisted Solution

by:x-men
x-men earned 100 total points
ID: 36717690
you'll have to "work" the .substring()
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
A brief introduction to what I consider to be the best editor for PowerShell.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question