2

I am trying to create a script that pulls failed log on attempts for certain events in the past 24 hours but I cant figure out how to pull the account information out. User is Null all the time so info is blank BUT when I look in the general tab I can see "Account Information".

I would like to pull and add what it shows in the XML view under "event data" which is TargetUserName. How can I get this done? What I have so far works fine but I need the username info and what my script pulls is always blank.

System - windows server 2008 R2 Log I am pulling from is security log with event ID's 4625,4768,4771,4772 for the past 24 hours.

My code:

get-eventlog Security 4625,4768,4771,4772 -after ((get-date).addDays(-1))| export-csv
EEAA
  • 109,363
  • 18
  • 175
  • 245
MJT
  • 93
  • 1
  • 5

2 Answers2

1

Try the following, it will extract TargetUserName from the event's message and add it as new column to original event. You will now be able to export it to c:\temp\yourlog.csv or wherever you need to.

get-eventlog Security 4625,4768,4771,4772 -after ((get-date).addDays(-1)) | % {
     $TargetUserName = $_.message.split("`n") | Select-String "Account Name:"; 
     $_ | Add-Member -MemberType NoteProperty -Name TargetUserName -Value $TargetUserName[0];
     $_ } | Export-CSV "c:\temp\yourlog.csv" -notypeinformation
Raf
  • 308
  • 1
  • 8
  • This did pull the required info but it did not add it to the rest of the report it just replaced the content. In other words the original report has event ID, date, machine name, entry type but this only pulls up the account name and nothing else - almost like that snippet stops the rest of the info from getting pulled in as well. – MJT Mar 25 '14 at 17:16
  • I amended the answer, this should get you what you need. – Raf Mar 28 '14 at 14:57
  • This did it - I did have to remove the [0] to make it work but this was the answer - From here I have been able to continue adding in order to filter further. Thank you for the help – MJT Mar 29 '14 at 16:08
0

Because the Event returns an XML object, you'll have to parse that to get the user info. I use this to grab locked out accounts via the task scheduler and it emails me the XML info as text so I can review it. It doesn't answer your question, but might work for you as a workaround. I prefer to know about the events immediately rather than way after the fact. There is a bug in that if it fires and there is another event in the meantime, the script only looks at the most recent event. so keep that in mind. For my setup, which gets maybe 1 of these a day, it is fine.

$5MinutesAgo = [DateTime]::Now.AddMinutes(-5)
$messageParameters = @{ 
Subject = "User Account Locked/Unlocked on VADS01" 
Body = Get-EventLog "Security" | 
Where {$5MinutesAgo -le $_.TimeWritten -and ($_.eventid -eq 4740 -or $_.eventid -eq 4767)} |
Format-List | 
Out-String 
From = "vads01@domain.com" 
To = "it@domain.com" 
SmtpServer = "smtp01.domain.com" } 
Send-MailMessage @messageParameters
MikeAWood
  • 2,566
  • 1
  • 13
  • 13