Reputation: 25
Get-WinEvent and Select-string filter line result
I´m trying to use get-winevent + select string to filter and get the IP from events 4625.
After get-winevent I want to filter the results to show only "Source Network Address:" line, which will provide me the list of IP´s I need to block.
Below is an example of the results, thanks in advance!
PS C:\Users\Administrator> Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 1 | fl
TimeCreated : 15/02/2023 07:43:25 ProviderName : Microsoft-Windows-Security-Auditing Id : 4625 Message : An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: ADMINISTRATOR
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 209.45.48.94
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 100 | Select-String -Pattern "Source Network Address:" tried this way but no results showed
Upvotes: 1
Views: 1160
Answers (3)
Reputation: 142
(Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 1).Message.split(':') -split("`t") | ? { $_ -match '\d+\.\d+\.\d+.\d+'} | % {$_ -replace ("`n","")}
Upvotes: 1
Reputation: 61028
To get information from the Windows Event log, it is cumbersome to try and parse that out of the Message string.
Better look at the XML where the values can be found under their own attribute names:
$result = Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 100 | ForEach-Object {
# convert the event to XML and grab the Event node
$eventXml = ([xml]$_.ToXml()).Event
# output the values from the XML representation
[PsCustomObject]@{
UserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetUserName' }).'#text'
IpAddress = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'IpAddress' }).'#text'
EventDate = [DateTime]$eventXml.System.TimeCreated.SystemTime
}
}
Now, if all you want from this is the list of IP addresses, just do
$result.IpAddress
Upvotes: 1
Reputation: 2434
As it seems you need to extract an IP-address, I would suggest to use a regex for matching it.
$regex = [regex]::new("\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b")
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 100 | Foreach {$regex.Match($_.Message).Value}
This code loops through each result which Get-WinEvent returns and checks with the regex for an IP-address in the message property. When no match is found it will return an empty line.
Upvotes: 1
Related Questions
- How to get values of one column without the aggregate column?
- GROUP BY on one column with multiple columns in SELECT
- How to return only one row and one column name?
- Group by aggregate function SQL
- How to get a single value without using group by Oracle
- get a single aggregated row mysql
- Getting value of column1 for aggregate(column2)
- Aggregate two columns and rows into one
- returning only one row for each value of a column along with other values in different columns
- How to group by two columns to show only one single row?