powershell returning username from the security log

0
votes

I have a script which returns me user name, date , logon type and message from the security log with event ids 4624 and 4634 with logon type 2.

the problem is that it returns me only a part of the username. E.g. if the username is aaaa.bbbb it returns only aaaa. if the user name is cccc it returns cccc. How can i get the entire username please?

$content = $i.message| Find-Matches -Pattern “Kontoname:\s+\w+”
if($content.Count -eq 2) {$account = $content[1]} else {$account = $content}
$account = (($account -split “:”)[1]) -replace “\s+”,”"`
1
powershellevent-log

1 Answers

0
votes

I don't have any example data to work with for events 4623 and 4634, but I've found the 'Properties' property or 'ToXML' method from the resulting System.Diagnostics.Eventing.Reader.EventLogRecord to be quite helpful. Much more helpful than trying to manually parse the 'Message' content.

Try this

#Get an example event to work with
    $EventExample = Get-WinEvent <#your params here#> | Select -first 1

#Using properties property
#This will list some data you can access through the properties member
#From here, just figure out which array index you need
    $EventExample.Properties 

#Using ToXML method
#This will list the same data as properties...
#With a Name (key) and a #text (value) that you can use to help identify the data
    $EventXML = [xml]$EventExample.ToXML()
    $EventXML.event.eventdata.data

Here is a lengthy writeup on pulling this event data from Ashley McGlone.

Good luck!