Powershell script to export EVents logs in human readable

Hi experts,

     I want a Power shell script to export event logs in below format. Please help somebody. I am very new to scripting.
AccountName	AccountDomain	Message			EventID	TimeCreated
John		Testserver	Workstation was locked	4800	10.30.2013 18:45

Open in new window

srsysdocAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CoralonCommented:
The domain isn't easy to extract... I'm having to give that some thought.. but the basics are pretty easy..

get-eventlog -logname <name> | select-object -property UserName,Message,EventID,TimeGenerated

Open in new window


That gives you the basics.. doesn't include column headers.  If you need those, I can add more later.. :-)

Coralon
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
In future please provide more details (like "using the Security Event Log"), that makes it much easier to get reasonable responses. I reckon from event ID 4800 that you want to read that log.

What Coralon suggested won't work - it isn't that easy at all. Account data is included in the message body, and not available as (isolated) property. Parsing is depending on the message, so specific parsing only works with specific event IDs, and we will have to filter for those IDs or apply different parsing filters for different IDs.

You will also want to restrict the time span, similar to what has been posted in http://www.experts-exchange.com/Q_27711800.html .

My suggestion is to use:
$filedate = get-date -uformat "%m-%d-%Y"
$yesterday = (get-date) - (new-timespan -day 1)

Get-EventLog Security -After $yesterday <# -InstanceID 4800, 4801 #> |
  Select @{n='AccountName'   ; e={ if ($_.message -match '(?:Account Name|Logon Account):\s*(.+)\s*\r'  ) {$matches[1]} }},
         @{n='AccountDomain' ; e={ if ($_.message -match 'Account Domain:\s*(.+)\s*\r') {$matches[1]} }},
         @{n='Message'       ; e={ $_.message.Split("`r`n")[0] } },
         EventID,
         TimeGenerated |
  Export-Csv -NoTypeInformation Activity_$filedate.csv

Open in new window

You might want to restrict to specific event IDs. An example is included as comment.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CoralonCommented:
Actually, what I put up did exactly what he asked, other than the one column.  I had tested it before posting it just to be sure.  

He didn't ask for a specific event, or a specific timeline, or even a specific log.

Coralon
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Coralon,

My comment makes more sense if seen in context of the other question I referred to (and the Asker posted in). But you should have seen that "UserName" doesn't make ANY sense in context of this question, as it is empty all the time. Also, EventID 4800 is well-known to be in the Security log.
0
srsysdocAuthor Commented:
Hi Coralon,

        Thanks for spending your valuable time on my question. Your script also working fine but it didn't show me the username.
0
CoralonCommented:
It showed the username from the event itself -- the account that was running the item that triggered the event.    It is definitely a different thing then looking for the account in the text of the event :-)  I'm glad Qlemo was able to get you those details.

As a matter of course, please be specific at what you want, don't leave it to us to guess :-)  Some of us will guess wrong, lol.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.