Author Posts

May 11, 2015 at 11:00 am

Hello community,
I'm searching for a good way to parse message string from security event log entries.
I found many on web but all of them implements in a way parsing xlm with value positioning.
For example they parse only 4625 eventid entries which have same properties on same position in every event.
But what if I want to see on every line if there's a string like Account Name for example.
I want to find a way to look on every line and if there's a string Account Name then give me back the line.

I found that Select-String do sth like this (like grep on linux) but i didn't find a way to do select string on a string.
Is there any good way?
thank you all experts!! 🙂

May 11, 2015 at 2:09 pm

Using the -Split parameter and regex on a string, you can convert your multi-line event long messages to arrays. Then use Select-String to pull out items containing 'Account Name'.

$event.message -Split '\r\n' | Select-String 'Account Name'

May 12, 2015 at 12:51 am

Thank you very very much! It works!!!