Reputation: 11
Match the User Name against the Security EventLog
I want to take a domain user and for it want to check the Security Event Logs for say Logon and then Print the events which match but it returns me null value:
Get-EventLog -Log Security -Computer PC1 -InstanceID 4624 -After(Get-Date).AddDays(-2) | ? {
$_.Message -match "Account Name:\s+qasimali\s" -and
$_.Message -match 'Logon Type:\s+(2|10)\s"
}
but it generates no data for output
Read-Host : name cannot be Null or Empty.
Whereas command runs and gives no error. I just want to check whether this command is running fine or not.
Upvotes: 0
Views: 1173
Answers (1)
Reputation: 71
The way I have done this in the past is as follows ( Thoroughly Commented for clarity) :
## Set Username Input
$UserInput = "DOMAINUSER"
## Set date in past to retrieve events up to
$StartTime = ((Get-Date).AddMinutes(-2))
##Set Domain Controller to search on
$ComputerName = "DC1"
## Retrieve Event 4624 from DC Eveng Logs
$Logons = Get-WinEvent -ComputerName $ComputerName -FilterHashTable @{LogName="Security"; ID="4624"; StartTime=$StartTime;EndTime=(Get-Date)}
## Initialize variable to store outputs in
$EventOutput = @()
## Enumerate Events to retrieve usernames to compare against User Input
foreach ($Logon in $Logons) {
## Convert Event to XML
$LogonXML = [XML]$Logon.ToXML()
## Retrieve Username from XML Object
$LogonUser = (($LogonXML.Event.EventData.Data | Select "#text")[5])."#text"
## Retrieve Logon Type from XML Object
$LogonType = (($LogonXML.Event.EventData.Data | Select "#text")[8])."#text"
## Check Event Username matches User Input
if ($LogonUser -match $UserInput) {
## Check LogonType is correct
if ($LogonType -eq 2 -or $LogonType -eq 10) {
## Append Event Object to Event Output
$EventOutput += $Logon
}
}
}
## Output Resulting Event Output Object
$EventOutput
The Resulting Output can be manipulated to retrieve whatever details you wish. I find converting each Object to XML to parse further values useful.
NOTE : I've just thrown this together quickly from memory, this can be quickly restructured to enable other queries if required. Start and End Times will need to be changed to extract information from the correct timespan.
Upvotes: 2
Related Questions
- Filter get-eventlog by the subjects account name
- (PowerShell) How do I filter usernames with Get-EventLog
- Powershell Get ADUser filter
- Pull Account Name from Message in Eventlog - powershell
- Powershell: How to extract login information from Windows security event log?
- Filter result from Get-ADUser using sAMAccountname
- How to filter out which users are allowed to log in to a computer?
- How to read logon events and lookup user information, using Powershell?
- How to filter windows event security logs based of security ID (SID) and EventID using PowerShell
- Active Directory Filter memberof