2

I am trying to create a script that pulls failed log on attempts for certain events in the past 24 hours but I cant figure out how to pull the account information out. User is Null all the time so info is blank BUT when I look in the general tab I can see "Account Information".

I would like to pull and add what it shows in the XML view under "event data" which is TargetUserName. How can I get this done? What I have so far works fine but I need the username info and what my script pulls is always blank.

System - windows server 2008 R2 Log I am pulling from is security log with event ID's 4625,4768,4771,4772 for the past 24 hours.

My code:

get-eventlog Security 4625,4768,4771,4772 -after ((get-date).addDays(-1))| export-csv
Improve this question

2 Answers 2

Reset to default
1

Try the following, it will extract TargetUserName from the event's message and add it as new column to original event. You will now be able to export it to c:\temp\yourlog.csv or wherever you need to.

get-eventlog Security 4625,4768,4771,4772 -after ((get-date).addDays(-1)) | % { $TargetUserName = $_.message.split("`n") | Select-String "Account Name:"; $_ | Add-Member -MemberType NoteProperty -Name TargetUserName -Value $TargetUserName[0]; $_ } | Export-CSV "c:\temp\yourlog.csv" -notypeinformation
Improve this answer
3
  • This did pull the required info but it did not add it to the rest of the report it just replaced the content. In other words the original report has event ID, date, machine name, entry type but this only pulls up the account name and nothing else - almost like that snippet stops the rest of the info from getting pulled in as well. Commented Mar 25, 2014 at 17:16
  • I amended the answer, this should get you what you need. Commented Mar 28, 2014 at 14:57
  • This did it - I did have to remove the [0] to make it work but this was the answer - From here I have been able to continue adding in order to filter further. Thank you for the help Commented Mar 29, 2014 at 16:08
0

Because the Event returns an XML object, you'll have to parse that to get the user info. I use this to grab locked out accounts via the task scheduler and it emails me the XML info as text so I can review it. It doesn't answer your question, but might work for you as a workaround. I prefer to know about the events immediately rather than way after the fact. There is a bug in that if it fires and there is another event in the meantime, the script only looks at the most recent event. so keep that in mind. For my setup, which gets maybe 1 of these a day, it is fine.

$5MinutesAgo = [DateTime]::Now.AddMinutes(-5) $messageParameters = @{ Subject = "User Account Locked/Unlocked on VADS01" Body = Get-EventLog "Security" | Where {$5MinutesAgo -le $_.TimeWritten -and ($_.eventid -eq 4740 -or $_.eventid -eq 4767)} | Format-List | Out-String From = "[email protected]" To = "[email protected]" SmtpServer = "smtp01.domain.com" } Send-MailMessage @messageParameters
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.