Having trouble writing Powershell output to csv file

Question

I'm a PowerShell newbie trying to write a simple script to look up the number of times a specific user has logged into a workstation, and export that information in a useful way to a CSV file so it can be easily manipulated. The CSV file only really needs to contain the time of login and the username mentioned in the "Message" section of the Security log entry.

My problem is it seems I can either get a CSV file with a truncated "Message" no containing the username, or I get all the information I want printed to host instead of exporting to CSV. I'm sure the solution is probably very basic, but like I said I'm a newbie.

In the code posted here I get everything I need printed to host, but I can't seem to get it into a CSV file. Any help would be appreciated.

New-Item -Name "UserLoginHistory" -Path C:\ -ItemType Directory -Force | Out-Null
$UserName = Read-Host -Prompt 'Which user are you searching for?'
$a =Get-EventLog -LogName Security -Message "*$UserName*" | Where-Object {$_.EventID -eq 4624} 
foreach($item in $a)
{
        $timeLog = $item.TimeGenerated
     $item = $item.Message.Split(":")

     $subject = $item[3].split()
     #$subject[2]
     $NewLogin = $item[14].split()
     #$NewLogin[2]
     $WorkstationName = $item[26].split()
     #$WorkstationName[1]
     $SourceNetworkAddress = $item[27].split()
     #$SourceNetworkAddress[1]


    "Time: $timeLog Subject: $($subject[2]) NewLogin: $($NewLogin[2]) WorkstationName $($WorkstationName[1]) SourceNetworkAddress $($SourceNetworkAddress[1])"

}
 Export-Csv -Path C:\UserLoginHistory\LoginHistory.csv

Answer 1

Try stuffing your results into an array like this untested code.

    New-Item -Name "UserLoginHistory" -Path C:\ -ItemType Directory -Force | Out-Null
$UserName = Read-Host -Prompt 'Which user are you searching for?'
$a =Get-EventLog -LogName Security -Message "*$UserName*" | Where-Object {$_.EventID -eq 4624} 
$ReportOutPut = @() # An array to hold your output.
foreach($item in $a)
{
        $timeLog = $item.TimeGenerated
     $item = $item.Message.Split(":")

     $subject = $item[3].split()
     #$subject[2]
     $NewLogin = $item[14].split()
     #$NewLogin[2]
     $WorkstationName = $item[26].split()
     #$WorkstationName[1]
     $SourceNetworkAddress = $item[27].split()
     #$SourceNetworkAddress[1]


   "Time: $timeLog Subject: $($subject[2]) NewLogin: $($NewLogin[2]) WorkstationName $($WorkstationName[1]) SourceNetworkAddress $($SourceNetworkAddress[1])"

    $ReportOutput += [pscustomobject] @{
        Time = $timeLog;
        Subject = $subject[2];
        NewLogin = $NewLogin[2];
        WorkstationName =  $WorkstationName[1];
        SourceNetworkAddress = $SourceNetworkAddress[1]
        } # Custom objec to be exported via csv

    }

Export-Csv -InputObject $ReportOutPut -NoTypeInformation -Path C:\UserLoginHistory\LoginHistory.csv 

Answer 2

• Don't reuse the variable $item of the foreach inside the {scrript block} for other purposes.
• create a [PSCustomObject] and emit it to a gathering variable for the whole foreach

Untested template:

New-Item -Name "UserLoginHistory" -Path C:\ -ItemType Directory -Force | Out-Null
$UserName = Read-Host -Prompt 'Which user are you searching for?'
$Events = Get-EventLog -LogName Security -Message "*$UserName*" | Where-Object {$_.EventID -eq 4624} 

$Data = foreach($Event in $Events){
    $item = $Event.Message.Split(":")
    [PSCustomObject]@{
        Time                 = $Event.TimeGenerated
        Subject              = $item[3].split()[2]
        NewLogin             = $item[14].split()[2]
        WorkstationName      = $item[26].split()[1] 
        SourceNetworkAddress = $item[27].split()[1]
    }
}
$Data | Format-Table -Autosize *
$Data | Out-Gridview
$Data | Export-Csv -Path C:\UserLoginHistory\LoginHistory.csv -NoTypeInformation