Link to home
Avatar of Silvan
Silvan

asked on

Powershell Filter Eventlog Message String after Account Name

Dear Community

I am trying to filter a string from an eventlog message with powershell and write it into a log file.  
Actually I use the following command:
get-winevent -FilterHashtable @{Logname='Security';ID=4740}  -MaxEvents 1 | FL

I attached the output for the command above (Filter-accound-name.png). In that output I tagged a string with yellow. Is is possible to extract that only that string, which is the account name, and set it into a variable?

There are commands like select-string or findstr, but I was not able to filter only the account name with these commands.

Thank you in advance for your help

Best regards
steffeninf
filter-account-name.PNG
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Silvan
Silvan

ASKER

Great it works as expected. But I still have a question, how did you know that the user name is stored in "Properties[0]"?
Using the second-most important PS command after Get-Help (namely Get-Member), and some educated guessing.
For speed reasons, assign the result of your query to a variable:
$e = Get-WinEvent -FilterHashtable @{Logname='Security'; ID=4740} -MaxEvents 1

Open in new window

Then examine that object (gm is an alias for Get-Member):
$e | gm

Open in new window

You'll get a bunch of methods and properties, and the "Properties" property looks interesting. You check it out
$e.Properties

Open in new window

and you find the properties as listed in the "Friendly View" of the event viewer's details.