Extracting a String using Regex

This topic contains 6 replies, has 4 voices, and was last updated by Profile photo of Eric Salamone Eric Salamone 2 years, 6 months ago.

  • Author
    Posts
  • #15657
    Profile photo of Eric Salamone
    Eric Salamone
    Participant

    I'm wanting to pull the "Account Name: Person's name" from the Message property under Get-Eventlog. After i pipe it i use the hash table below, but it pulls the all the property Message's message. I tried using "\b" for boundaries but didn't change. I am trying to learn regular expression, so not sure if I am misunderstanding the expressions meanings.

    select @{n='Message'; e={$_.Message -replace "'^(Account Name:.)$','$1'}}

    Thank you for any help

  • #15658
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    Eric,

    Would you be able to attach a full example of the event log message (obfuscate any sensitive info) and the command line used to retrieve it?

  • #15660
    Profile photo of Eric Salamone
    Eric Salamone
    Participant

    Get-EventLog -LogName Security -InstanceId 4624 | select TimeGenerated, @{n='Message'; e={$_.Message -replace “'^(Account Name:.)$','$1′}} | format-list

  • #15663
    Profile photo of Eric Salamone
    Eric Salamone
    Participant

    sorry I thought you meant event cmd that i was using

    Message : An account was successfully logged on.

    Subject:
    Security ID: S-1-5-18
    Account Name: SO-PC$
    Account Domain: WORKGROUP
    Logon ID: 0x3e7

    Logon Type: 2

    New Logon:
    Security ID: S-1-5-21-2415982056-31499485-2897633832-1007
    Account Name: Salamone
    Account Domain: SO-PC
    Logon ID: 0x1ec8b42
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Process Information:
    Process ID: 0x12ec
    Process Name: C:\Windows\System32\winlogon.exe

    Network Information:
    Workstation Name: SCOO-PC
    Source Network Address: 127.0.0.1
    Source Port: 0

    Detailed Authentication Information:
    Logon Process: User32
    Authentication Package: Negotiate
    Transited Services: –
    Package Name (NTLM only): –
    Key Length: 0

    This event is generated when a logon session is created. It is genera.....

  • #15669
    Profile photo of Joakim
    Joakim
    Participant

    Nice Mike 🙂 PowerShell is soo powerful so one tend to forget the simplest of ways to use it! 🙂

  • #15668
    Profile photo of Mike F Robbins
    Mike F Robbins
    Participant

    There's an easier way. Use the ReplacementStrings collection instead of the message property:

    
    Get-EventLog -LogName Security -InstanceId 4624 -Newest 1 | Select-Object -Property TimeGenerated, @{Label='UserName';Expression={$_.ReplacementStrings[1]}}
    
  • #15723
    Profile photo of Eric Salamone
    Eric Salamone
    Participant

    That worked perfectly thank you.

You must be logged in to reply to this topic.