Windows Event Viewer: Export Security Audit Failure to CSV

1
votes

As a part of my security admin duties, I need to look through windows event logs on the domain controller for failed login attempts.

What I currently do is go to the security logs within windows event viewer and filter by Audit Failures. I have to do this on a daily basis. It is a bit of a cumbersome and tedious process for a simple task.

I would like to be able to use Powershell to pull out the information I need and export it to CSV so I can easily skim through the information and sort as needed.

As an example of what I was attempting, I tied the following:

Get-WinEvent -FilterHashtable @{ logname = 'Security'; id = 4771 } |
    Export-Csv -NoType "c:\Output.csv"

The problem is, this output does now show the username, target IP, or port. When I look at one of the events, I see that these values can be found in the raw XML view (TargetUserName, IpAddress, IpPort) but I just cant figure out how to query those values to show up in the output. Does anyone know how this can be accomplished?

1
xmlpowershellcsvsecurityevent-viewer
Export it as XML instead, perhaps |%{$_.TOXML()} or Export-ClixmlThomas Weller

1 Answers

0
votes

The values you are looking for are in the Properties property. Try this:

 Get-WinEvent -FilterHashtable @{ logname = 'Security'; id = 4771 } | Select-Object TimeCreated, 
 @{ Name='TargetUserName'; Expression={$_.Properties[0].value}},
 @{ Name='IpPort'; Expression={$_.Properties[7].value}},
 @{ Name='IpAddress'; Expression={$_.Properties[6].value -replace "::ffff:"}}