Author Posts

March 17, 2016 at 8:07 am

Hello,

I would like to get some info out of an eventlog item, the General message pane got some info like this:
PS C:\Windows\system32> $string = (Get-EventLog -LogName Security -InstanceId 5136 -Newest 1).Message

PS C:\Windows\system32> $string
A directory service object was modified.

Subject:
Security ID: S-1-5-21-xxxxxxxx-xxxxxxx-xxxxxxxx-xxxxxxx
Account Name: Username
Account Domain: Domain
Logon ID: 0x904ea6c

Directory Service:
Name: domain
Type: %%14676

Object:
DN: CN=Domain Admins,CN=Users,DC=domain,DC=be
GUID: {56284D9B-9FA0-4FE2-8725-7C08B52EF71E}
Class: group

Attribute:
LDAP Display Name: member
Syntax (OID): 2.5.5.1
Value: cn=test,OU=Hardware,OU=users,OU=top,OU=domain dd,DC=dd,DC=be

Operation:
Type: %%14674
Correlation ID: {D5F020FB-94BD-458A-9C11-79D7EB22DA64}
Application Correlation ID: –

I would like to get the data in some variables, like Account name (username) ,
Group (domain admins) ,
Attribute value.
The problem is this whole message is a String.
How would you get these out of the string and put them in a variable?

Thanks in advance.
Kind regards.

March 17, 2016 at 8:17 am

Try using Get-WinEvent instead of get-eventlog and we might have to change the string to objects.

March 17, 2016 at 8:52 am

Hi there!

There's a good chance you can reference those individual properties directly, rather than trying to read the message string.

Get-WinEventData simplifies this so that you can simply pipe Get-WinEvent to Get-WinEventData.

Cheers!

March 18, 2016 at 1:48 pm

Nikolas, as folks mentioned above it would be more effective subsequently faster, to use the get-winEvent in conjunction with hash table. Since you are looking for specific values, you will have to parse the XML view option that windows event log offer.

In short, for example:
$MySecurityLog = Get-WinEvent -FilterHashtable @{logname = 'security; id=4798'}

Then retrieve what you want to retrieve $MySecurityLog | gm
In your scenario $MySecurityLog.properties will provide you output like UserName, domain etc.

The "tricky" part (let's say), is to cast the $MySecurityLog as an XML since as I mentioned you need parse the event log XML info.

$ConvertToXml = [xml]$MySecurityLog.toxml()

Finally, search again your XML variable and step by step retrieve related members (event, eventdata etc.)

Cheers!

March 19, 2016 at 10:33 am

Tyvm guys for the responses, the answers helped me out.
I'll finish the scripts tomorrow and post them here.

Grtz Nicolas

March 21, 2016 at 11:14 am

Hello guys,

This is a part of the script:

#Get the event 4722 => user enbled
$event = Get-WinEvent -FilterHashtable @{ID='4722'; logname='security'} -MaxEvents 1
#Create an XML from the event
$eventXML = [xml]$Event.ToXml()
#Extract data out of the XML
$Targetusername = $eventXML.Event.EventData.Data[0].'#text'
$user = $eventXML.Event.EventData.Data[4].'#text'
#Send the mail
$subj = "The user $Targetusername is created or enabled by user: $user"
$comp = Get-Childitem env:computername
$body = "You can see the eventlog on $comp on $event.timeCreated for eventID:4722"
send-mailmessage -to .... -from .... -subject $subj -Body $body -SmtpServer .....

The last problem is when I'm sending a mail message with the -Body string the output is like this:
You can see the eventlog on System.Collections.DictionaryEntry on System.Diagnostics.Eventing.Reader.EventLogRecord.timeCreated for eventID:4722

I tried converting those outputs to Strings but no avail..

Kind regards,
Nicolas