How to read "Message" objects from Server 2016 Security event viewer log ?

namerg
namerg used Ask the Experts™
on
Hello, I have been task to enable file auditing in a windows server 2016. I did enable it and it is populating the Windows Everviewer Security log.
I have the following code but I would like to read or parse the contents of the "Message" I do not need all the Message values.
Get-WinEvent -LogName Security | Where {$_.Id -eq "4663"} | Format-List -Property Id, MachineName, UserId, TimeCreated, Message

Open in new window


Id          : 4663
MachineName : computername.domain.lcl
UserId      : 
TimeCreated : 1/19/2018 8:00:02 AM
Message     : An attempt was made to access an object.
              
              Subject:
              	Security ID:		S-1-5-21-4088890742-1793510203-2559070022-10247
              	Account Name:		domainaccount
              	Account Domain:		DOMAIN
              	Logon ID:		0x87273C8
              
              Object:
              	Object Server:		Security
              	Object Type:		File
              	Object Name:		D:\FilePath\FileName.xls
              	Handle ID:		0xedc
              	Resource Attributes:	S:AI
              
              Process Information:
              	Process ID:		0x4
              	Process Name:		
              
              Access Request Information:
              	Accesses:		WriteData (or AddFile)
              				
              	Access Mask:		0x2

Open in new window

I would like to have the Account Name, Account Domain, Object Type, Object Name and the Access Request Information: Accesses.
Thanks for your help
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014
Commented:
Here's one method.
Get-WinEvent -FilterHashtable @{ logname="Security"; Id="4663"} |
 Select Id, MachineName, TimeCreated,
        @{n="AccountName";e={($_.Properties.value)[1]}},
        @{n="AccountDomain";e={($_.Properties.value)[2]}},
        @{n="ObjectType";e={($_.Properties.value)[5]}},
        @{n="ObjectName";e={($_.Properties.value)[6]}},
        @{n="Accesses";e={$_.Message | ? {$_ -match "Accesses:\s+([\w ]+)\s*"} | % { $Matches[1] }}}

Open in new window


I recommend the use of -filterhashtable to speed up the filtering of events.  A problem with the above is that it may not be directly transferable to the other event IDs, because the Properties could very well differ in position.  I had to use a different method for Accesses because the value contained in properties is not translated (appears more like "%%4433").

A more automated technique is one like that described in
https://blogs.technet.microsoft.com/ashleymcglone/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs/
namergSystems Administrator

Author

Commented:
Excellent. You are a genius as usual.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial