?
Solved

Powershell script to export EVents logs in human readable

Posted on 2013-10-30
7
Medium Priority
?
1,328 Views
Last Modified: 2013-11-02
Hi experts,

     I want a Power shell script to export event logs in below format. Please help somebody. I am very new to scripting.
AccountName	AccountDomain	Message			EventID	TimeCreated
John		Testserver	Workstation was locked	4800	10.30.2013 18:45

Open in new window

0
Comment
Question by:srsysdoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 25

Expert Comment

by:Coralon
ID: 39615762
The domain isn't easy to extract... I'm having to give that some thought.. but the basics are pretty easy..

get-eventlog -logname <name> | select-object -property UserName,Message,EventID,TimeGenerated

Open in new window


That gives you the basics.. doesn't include column headers.  If you need those, I can add more later.. :-)

Coralon
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 39616884
In future please provide more details (like "using the Security Event Log"), that makes it much easier to get reasonable responses. I reckon from event ID 4800 that you want to read that log.

What Coralon suggested won't work - it isn't that easy at all. Account data is included in the message body, and not available as (isolated) property. Parsing is depending on the message, so specific parsing only works with specific event IDs, and we will have to filter for those IDs or apply different parsing filters for different IDs.

You will also want to restrict the time span, similar to what has been posted in http://www.experts-exchange.com/Q_27711800.html .

My suggestion is to use:
$filedate = get-date -uformat "%m-%d-%Y"
$yesterday = (get-date) - (new-timespan -day 1)

Get-EventLog Security -After $yesterday <# -InstanceID 4800, 4801 #> |
  Select @{n='AccountName'   ; e={ if ($_.message -match '(?:Account Name|Logon Account):\s*(.+)\s*\r'  ) {$matches[1]} }},
         @{n='AccountDomain' ; e={ if ($_.message -match 'Account Domain:\s*(.+)\s*\r') {$matches[1]} }},
         @{n='Message'       ; e={ $_.message.Split("`r`n")[0] } },
         EventID,
         TimeGenerated |
  Export-Csv -NoTypeInformation Activity_$filedate.csv

Open in new window

You might want to restrict to specific event IDs. An example is included as comment.
1
 
LVL 25

Expert Comment

by:Coralon
ID: 39618401
Actually, what I put up did exactly what he asked, other than the one column.  I had tested it before posting it just to be sure.  

He didn't ask for a specific event, or a specific timeline, or even a specific log.

Coralon
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 
LVL 70

Expert Comment

by:Qlemo
ID: 39618725
Coralon,

My comment makes more sense if seen in context of the other question I referred to (and the Asker posted in). But you should have seen that "UserName" doesn't make ANY sense in context of this question, as it is empty all the time. Also, EventID 4800 is well-known to be in the Security log.
0
 

Author Comment

by:srsysdoc
ID: 39619506
Hi Coralon,

        Thanks for spending your valuable time on my question. Your script also working fine but it didn't show me the username.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 39619513
It showed the username from the event itself -- the account that was running the item that triggered the event.    It is definitely a different thing then looking for the account in the text of the event :-)  I'm glad Qlemo was able to get you those details.

As a matter of course, please be specific at what you want, don't leave it to us to guess :-)  Some of us will guess wrong, lol.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses
Course of the Month10 days, 13 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question