Parsing EventLog Message

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of CHARALABOS CHARALABOS 1 year, 5 months ago.

  • Author
  • #25096
    Profile photo of CHARALABOS

    Hello community,
    I'm searching for a good way to parse message string from security event log entries.
    I found many on web but all of them implements in a way parsing xlm with value positioning.
    For example they parse only 4625 eventid entries which have same properties on same position in every event.
    But what if I want to see on every line if there's a string like Account Name for example.
    I want to find a way to look on every line and if there's a string Account Name then give me back the line.

    I found that Select-String do sth like this (like grep on linux) but i didn't find a way to do select string on a string.
    Is there any good way?
    thank you all experts!! 🙂

  • #25110
    Profile photo of Robert Derickson
    Robert Derickson

    Using the -Split parameter and regex on a string, you can convert your multi-line event long messages to arrays. Then use Select-String to pull out items containing 'Account Name'.

    $event.message -Split '\r\n' | Select-String 'Account Name'
  • #25118
    Profile photo of CHARALABOS

    Thank you very very much! It works!!!

You must be logged in to reply to this topic.