Author Posts

October 23, 2015 at 6:33 am

Hey guys, Here is my code: I need help figuring out why the date is being exported like this. Also after that I would like as an added bonus if I can just have it only return the last event for a user, so if it sees that user again to skip, I tried to do it but failed not sure how to lay out the logic. I am a novice programmer just starting out and learning really.

$query=@{
#date = (Get-Date).AddHours(-40)
id = 4624
level = 0
logname = "security"
}
$pc = $env:COMPUTERNAME
$log = (Get-WinEvent -ComputerName $pc -FilterHashTable @{LogName=$query.logname; Level=$query.level; id=$query.id})

[xml[]]$xmllog = $log.toXml()

foreach ($i in $xmllog) {
[int32]$a = $i.event.eventdata.data[8].'#text'
if(($a -eq '7') -or ($a -eq '10')){
$array = New-object PSObject -Property([ordered]@{`
"Target Computer" = $i.Event.System.Computer
"Time"=$i.Event.System.TimeCreated
"User Logged In"=$i.Event.EventData.Data[5].'#text'
#if($i.event.eventdata.data[5].'#text' -eq $i.event.eventdata.data[5].'#text'){continue}
"Logon Type"=$i.Event.EventData.Data[8].'#text'
"Ip Address"=$i.Event.EventData.Data[18].'#text'
})

}
else{continue}

$array |Export-Csv -NoTypeInformation C:\$pc.csv -Append

}

October 23, 2015 at 12:00 pm

Replace

$i.Event.System.TimeCreated

By

[System.DateTime]$i.Event.System.TimeCreated.SystemTime