Powershell convertfrom-string not working

Question

Im trying to parse the event log with convertfrom-string but unable to get the result. the event and code is below.

$string=@'
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,4768,Microsoft-Windows-Security-Auditing,,Audit Success,PAD.Local,Kerberos Authentication Service,,A Kerberos authentication ticket (TGT) was requested.  Account Information:  Account Name:  SQLSVC  Supplied Realm Name: PAD  User ID:   S-1-5-21-3919716692-2946903121-3479928240-1751  Service Information:  Service Name:  krbtgt  Service ID:  S-1-5-21-3919716692-2946903152-3479928250-502  Network Information:  Client Address:  ::ffff:192.168.1.5  Client Port:  56168  Additional Information:  Ticket Options:  0x40810010  Result Code:  0x0  Ticket Encryption Type: 0x12  Pre-Authentication Type: 2  Certificate Information:  Certificate Issuer Name:    Certificate Serial Number:   Certificate Thumbprint:    Certificate information is only provided if a certificate was used for pre-authentication.  Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
'@   
 
$temp=@'
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,{EventID*:4768},Microsoft-Windows-Security-Auditing,,{Type:Audit Success},{ServerName:PAD.Local},Kerberos Authentication Service,,{Ticket:A Kerberos authentication ticket (TGT) was requested.}  Account Information:  {ACName:Account Name:  SQLSVC}  Supplied Realm Name: {Domain:PAD}  User ID:   S-1-5-21-3919716692-2946903121-3479928240-1751  Service Information:  Service Name:  krbtgt  Service ID:  S-1-5-21-3919716692-2946903152-3479928250-502  Network Information:  Client Address:  ::ffff:192.168.1.5  Client Port:  56168  Additional Information:  Ticket Options:  0x40810010  Result Code:  0x0  Ticket Encryption Type: 0x12  Pre-Authentication Type: 2  Certificate Information:  Certificate Issuer Name:    Certificate Serial Number:   Certificate Thumbprint:    Certificate information is only provided if a certificate was used for pre-authentication.  Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
'@

$string |ConvertFrom-String -TemplateContent $temp

expected output is :

Eventid  Type          ServerName ..etc

4768     Audit Success PAD.Local

Esperento57 · Accepted Answer

You can give multiple example to your patern for a better analyse :

$string=@'
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,4768,Microsoft-Windows-Security-Auditing,,Audit Success,PAD.Local,Kerberos Authentication Service,,A Kerberos authentication ticket (TGT) was requested.  Account Information:  Account Name:  SQLSVC  Supplied Realm Name: PAD  User ID:   S-1-5-21-3919716692-2946903121-3479928240-1751  Service Information:  Service Name:  krbtgt  Service ID:  S-1-5-21-3919716692-2946903152-3479928250-502  Network Information:  Client Address:  ::ffff:192.168.1.5  Client Port:  56168  Additional Information:  Ticket Options:  0x40810010  Result Code:  0x0  Ticket Encryption Type: 0x12  Pre-Authentication Type: 2  Certificate Information:  Certificate Issuer Name:    Certificate Serial Number:   Certificate Thumbprint:    Certificate information is only provided if a certificate was used for pre-authentication.  Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
'@   
 
$temp=@'
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,{EventID*:4768},Microsoft-Windows-Security-Auditing,,{Type:Audit Success},{ServerName:PAD.Local},Kerberos Authentication Service,,{Ticket:A Kerberos authentication ticket (TGT) was requested.}  Account Information:  {ACName:Account Name:  SQLSVC}  Supplied Realm Name: {Domain:PAD}  User ID:   S-1-5-21-3919716692-2946903121-3479928240-1751  Service Information:  Service Name:  krbtgt  Service ID:  S-1-5-21-3919716692-2946903152-3479928250-502  Network Information:  Client Address:  ::ffff:192.168.1.5  Client Port:  56168  Additional Information:  Ticket Options:  0x40810010  Result Code:  0x0  Ticket Encryption Type: 0x12  Pre-Authentication Type: 2  Certificate Information:  Certificate Issuer Name:    Certificate Serial Number:   Certificate Thumbprint:    Certificate information is only provided if a certificate was used for pre-authentication.  Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,{EventID*:1},Microsoft-Windows-Security-Auditing,,{Type:Audit Success 2},{ServerName:XXXXX},Kerberos Authentication Service,,{Ticket:A Kerberos authentication ticket (TGT) was requested.}  Account Information:  {ACName:Account Name:  dddddd}  Supplied Realm Name: {Domain:XXXXXX}  User ID:   S-1-5-21-3919716692-2946903121-3479928240-1751  Service Information:  Service Name:  krbtgt  Service ID:  S-1-5-21-3919716692-2946903152-3479928250-502  Network Information:  Client Address:  ::ffff:192.168.1.5  Client Port:  56168  Additional Information:  Ticket Options:  0x40810010  Result Code:  0x0  Ticket Encryption Type: 0x12  Pre-Authentication Type: 2  Certificate Information:  Certificate Issuer Name:    Certificate Serial Number:   Certificate Thumbprint:    Certificate information is only provided if a certificate was used for pre-authentication.  Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
'@

$string |ConvertFrom-String -TemplateContent $temp

Powershell convertfrom-string not working

Answers (1)

Related Questions