Grab username from Get-Winevent

Question

How can I grab the "Account Name" for the Section "Account for Which Logon Failed" in the below output from Get-EventLog? I know it involves replacement strings but this just isn't getting it:

Get-EventLog -ComputerName fs2 -Logname security |
  ? {$_.eventid -eq "4625"} |
  select machinename, eventid, @{n='AccountName';e={$_.ReplacementStrings[2]}},
         entrytype, message |
  Export-Csv 1.csv -NoTypeInformation

Sample eventlog entry:

TimeCreated  : 5/18/2016 8:55:43 AM
ProviderName : Microsoft-Windows-Security-Auditing
Id           : 4625
Message      : An account failed to log on.

               Subject:
                   Security ID:        S-1-5-21-1287344763-2688370722-3395302928-19873
                   Account Name:       service_adfs
                   Account Domain:     DOMAIN
                   Logon ID:           0xD62E4

               Logon Type:             3

               Account For Which Logon Failed:
                   Security ID:        S-1-0-0
                   Account Name:       user.thatiwant@DOMAIN.com
                   Account Domain:

EDIT: Not sure why they edited my post to include the legacy cmdlet, works just fine with the newer cmdlet get-winevent. The regex does not work for me. This seems to work though.

get-winevent -computername fs1 -FilterHashtable @{Logname='Security';Id='4625'} |select timecreated, message, machinename, eventid, @{n='AccountName';e={$_.ReplacementStrings[5]}}

Answer 1

You could use a regular expression on the Message Property:

Account For Which Logon Failed.* Account Name:.+?\b(.*?)\s

Demo.

And here your script:

$regex = 'Account For Which Logon Failed.* Account Name:.+?\b(.*?)\s'

get-eventlog -computername fs2 -logname security | 
    ?{$_.eventid -eq "4625"} |  
    select machinename,eventid,@{n='AccountName';e={[regex]::Match($_.Message,$regex,[System.Text.RegularExpressions.RegexOptions]::Singleline).Groups[1].Value}},entrytype,message | 
    export-csv 1.csv -NoTypeInformation