Solved

Powershell command to extract security log events

Posted on 2011-09-28
2
1,127 Views
Last Modified: 2012-05-12
I'm trying to write a powershell script that will extract info from the security logs of event type 4728 and 4729. The script is ok, but the message field includes the entire message field.
What I am interested are just these parts: the heading, subject account name, member account name, group name.
So, it would look like this:
A member was added to a security-enabled global group.
Account Name:      Admin.
Account Name:      CN=username,OU=Users,DC=domain,DC=com
Group Name: Administrators
 
Any help appreciated.


Get-EventLog "Security"| Where-Object {$_.EventID -eq 4728 -or $_.EventID -eq 4729} | Select TimeGenerated, message | export-csv c:\test.csv

Open in new window

0
Comment
Question by:sherryfitzgroup
2 Comments
 
LVL 16

Accepted Solution

by:
Dale Harris earned 250 total points
ID: 36717686
I haven't got the working script for this yet, but your starting point is using Select-String.

So output all of your info to a text file in a big block of info.  Then go through and do a Select String on your exported events that you care about.

Here's how you it would look once you had the text file in one big block:

get-content "BigFile.txt" | Select-string "Account","Group Name"

This would output every single Account line and Group Name line.

HTH,

Dale Harris
0
 
LVL 18

Assisted Solution

by:x-men
x-men earned 100 total points
ID: 36717690
you'll have to "work" the .substring()
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now