0
votes

I need to read specific information from event log. in below script I cannot export the some value contains in XML View. In the XML view I Want Target username: BRSYSAD and Subjectusername : 900011-LT

Script

$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml = ([xml]$_.ToXml()).Event
    # output the properties you need
    [PSCustomObject]@{
        EventID       = $eventXml.System.EventID.'#text'
        TimeCreated   = $eventXml.System.TimeCreated.SystemTime -replace '\.\d+.*$'
        Computer      = $eventXml.System.Computer
        Data          = $eventXml.EventData.Data
    }
}

# output on screen
$result | Format-Table -AutoSize

# save as CSV file if you like
$result | Export-Csv -Path 'C:\MyProgr_Events_302.csv' -NoTypeInformation

Current Output

Event log XML View

1

1 Answers

1
votes

You should be able to get the TargetUserName and SubjectUserName properties by filtering the EventData for those specifically named attributes.

Example code updated (I've also removed the .'#text' part from the EventID line to ensure this value is captured)

$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml = ([xml]$_.ToXml()).Event
    # output the properties you need
    [PSCustomObject]@{
        EventID       = $eventXml.System.EventID
        TimeCreated   = $eventXml.System.TimeCreated.SystemTime -replace '\.\d+.*$'
        Computer      = $eventXml.System.Computer
        TargetUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "TargetUserName"}).'#text'
        SubjectUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "SubjectUserName"}).'#text'
    }
}

# output on screen
$result | Format-Table -AutoSize

# save as CSV file if you like
$result | Export-Csv -Path 'C:\MyProgr_Events_302.csv' -NoTypeInformation

If you prefer, you could pull out all attributes with the following instead:

$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml = ([xml]$_.ToXml()).Event
    # output the properties you need
    $object = [PSCustomObject]@{
        EventID       = $eventXml.System.EventID
        TimeCreated   = $eventXml.System.TimeCreated.SystemTime -replace '\.\d+.*$'
        Computer      = $eventXml.System.Computer
    }

    $eventXml.EventData.Data | ForEach-Object { $object | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_.'#text' }
    $object
}

# output on screen$
$result | Format-Table -AutoSize

You'd then end up with all the attributes available to you and each result would contain data such as:

Example result data