Powershell command to extract security log events

I'm trying to write a powershell script that will extract info from the security logs of event type 4728 and 4729. The script is ok, but the message field includes the entire message field.
What I am interested are just these parts: the heading, subject account name, member account name, group name.
So, it would look like this:
A member was added to a security-enabled global group.
Account Name:      Admin.
Account Name:      CN=username,OU=Users,DC=domain,DC=com
Group Name: Administrators
 
Any help appreciated.


Get-EventLog "Security"| Where-Object {$_.EventID -eq 4728 -or $_.EventID -eq 4729} | Select TimeGenerated, message | export-csv c:\test.csv

Open in new window

LVL 2
sherryfitzgroupAsked:
Who is Participating?
 
Dale HarrisProfessional Services EngineerCommented:
I haven't got the working script for this yet, but your starting point is using Select-String.

So output all of your info to a text file in a big block of info.  Then go through and do a Select String on your exported events that you care about.

Here's how you it would look once you had the text file in one big block:

get-content "BigFile.txt" | Select-string "Account","Group Name"

This would output every single Account line and Group Name line.

HTH,

Dale Harris
0
 
x-menIT super heroCommented:
you'll have to "work" the .substring()
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.