How to read "Message" objects from Server 2016 Security event viewer log ?

Hello, I have been task to enable file auditing in a windows server 2016. I did enable it and it is populating the Windows Everviewer Security log.
I have the following code but I would like to read or parse the contents of the "Message" I do not need all the Message values.
Get-WinEvent -LogName Security | Where {$_.Id -eq "4663"} | Format-List -Property Id, MachineName, UserId, TimeCreated, Message

Open in new window


Id          : 4663
MachineName : computername.domain.lcl
UserId      : 
TimeCreated : 1/19/2018 8:00:02 AM
Message     : An attempt was made to access an object.
              
              Subject:
              	Security ID:		S-1-5-21-4088890742-1793510203-2559070022-10247
              	Account Name:		domainaccount
              	Account Domain:		DOMAIN
              	Logon ID:		0x87273C8
              
              Object:
              	Object Server:		Security
              	Object Type:		File
              	Object Name:		D:\FilePath\FileName.xls
              	Handle ID:		0xedc
              	Resource Attributes:	S:AI
              
              Process Information:
              	Process ID:		0x4
              	Process Name:		
              
              Access Request Information:
              	Accesses:		WriteData (or AddFile)
              				
              	Access Mask:		0x2

Open in new window

I would like to have the Account Name, Account Domain, Object Type, Object Name and the Access Request Information: Accesses.
Thanks for your help
namergSystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

footechCommented:
Here's one method.
Get-WinEvent -FilterHashtable @{ logname="Security"; Id="4663"} |
 Select Id, MachineName, TimeCreated,
        @{n="AccountName";e={($_.Properties.value)[1]}},
        @{n="AccountDomain";e={($_.Properties.value)[2]}},
        @{n="ObjectType";e={($_.Properties.value)[5]}},
        @{n="ObjectName";e={($_.Properties.value)[6]}},
        @{n="Accesses";e={$_.Message | ? {$_ -match "Accesses:\s+([\w ]+)\s*"} | % { $Matches[1] }}}

Open in new window


I recommend the use of -filterhashtable to speed up the filtering of events.  A problem with the above is that it may not be directly transferable to the other event IDs, because the Properties could very well differ in position.  I had to use a different method for Accesses because the value contained in properties is not translated (appears more like "%%4433").

A more automated technique is one like that described in
https://blogs.technet.microsoft.com/ashleymcglone/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs/
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
namergSystems AdministratorAuthor Commented:
Excellent. You are a genius as usual.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.