When a list of objects is retruned from Get-EventLog that itself contains an array of strings, how do I access the array elements?

0
votes

I'm looking to get a list of users who have logged onto a machine and when, and and am working with the following PowerShell example:

Get-EventLog security -source microsoft-windows-security-auditing  |
    where {($_.instanceID -eq 4624) -and ($_.replacementstrings[5] -eq 'username')} |
    select -property timegenerated, replacementstrings

Which is returning:

TimeGenerated       ReplacementStrings                           
-------------       ------------------                           
14/08/2019 08:50:34 {S-1-5-18, TT01022$, DOMAIN, 0x3e7...}
14/08/2019 08:50:34 {S-1-5-18, TT01022$, DOMAIN, 0x3e7...}
14/08/2019 07:45:08 {S-1-5-18, TT01022$, DOMAIN, 0x3e7...}

replacementstrings[5] is the username, which I want to include instead of the whole array.

But the following does not work:

PS C:\> Get-EventLog security -source microsoft-windows-security-auditing  |
    where {($_.instanceID -eq 4624) -and ($_.replacementstrings[5] -eq 'user')} |
    select -property timegenerated, replacementstrings[5]

TimeGenerated       replacementstrings[5]
-------------       ---------------------
14/08/2019 08:50:34                      
14/08/2019 08:50:34                      
14/08/2019 07:45:08

It comes out blank.

I've had a bit of a play with the -ExpandProperty, but the output here is not what I'm looking for, and I seem to lose access to the TimeGenerated property:

PS C:\> Get-EventLog security -source microsoft-windows-security-auditing  |
    where {($_.instanceID -eq 4624) -and ($_.replacementstrings[5] -eq 'gary-smith')} |
    select -property timegenerated -ExpandProperty replacementstrings |
    format-table

S-1-5-18
TT01022$
DOMAIN
0x3e7
S-1-5-21-2072319296-1284187727-59193277-2383
user
DOMAIN
0x1eef92935
2
User32 
Negotiate
TT01022
{00000000-0000-0000-0000-000000000000}
-
-
0
0xbd4
C:\Windows\System32\svchost.exe
127.0.0.1
0
%%1833
-
-
-
%%1843
0x1eef927e1
%%1843
S-1-5-18
TT01022$
DOMAIN
0x3e7
...

I'm simply looking for the output to be:

TimeGenerated       User
-------------       ---------------------
14/08/2019 08:50:34 user
14/08/2019 08:50:34 user
14/08/2019 07:45:08 user

I will be changing the filter to find multiple users, so want the user to be displayed rather than taking it from the input/filter itself.

1
powershellpowershell-4.0
you need to use a calculated property instead of an array index in your Select-Object call. - Lee_Dailey
Okay, so a calculated property seems to have done the trick, but I have no idea why this is needed, can someone explain please!? - Gary Smith
Get-EventLog security -source microsoft-windows-security-auditing | where {($_.instanceID -eq 4624) -and ($_.replacementstrings[5] -eq 'gary-smith')} | select -property timegenerated, @{ Name = 'User'; Expression = { $_.replacementstrings[5] }} - Gary Smith
you need to put your code into the Original Post if you want it to be readable. [grin] ///// as for WHY you need a calculated property ... that is how Select-Object works. it cannot select anything other than a property so, if you want something that is not a property [and a sub-item in an array is not a property], you need to make one - thus "caculated property". [grin] - Lee_Dailey

1 Answers

0
votes

So, the code that eventually produced the output I was looking for was:

Get-EventLog Security -Source microsoft-windows-security-auditing  |
    Where {($_.instanceID -eq 4624) -AND ($_.replacementstrings[5] -LIKE "*user*")} |
    Select-Object -Property TimeGenerated, @{ Name = 'User'; Expression = {  $_.replacementstrings[5] }} |
    Format-Table @{Name='Time Generated';Width=20;Expression={$_.TimeGenerated}},@{Name='User';Width=40;Expression={$_.User}}

This is using a calculated property (thanks @Lee_Dailey for helping with this) and is formatting the output.

:)