How to filter Windows 2003 security log from file?

Question

I have a Windows 2003 Security log file in evt format. I need to filter the log by EventID 540 and produce a list of unique Users from it. I am working on a Windows 7 machine to do this. Any ideas on the best way?

EDIT

This script did it for me

$ErrorActionPreference= 'silentlycontinue'
$users = @()
Get-WinEvent -FilterHashtable @{Path="C:\TEMP\LogonLogoffEvents.evtx";ProviderName="security";id=540} | foreach {
  $sid = $_.userid;
  if($sid -eq $null) { return; }
  $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid);
  $objUser = $objSID.Translate([System.Security.Principal.NTAccount]);
  if ($users -NotContains $objUser.Value) {
    $users += $objUser.Value
    $objUser.Value >> "C:\temp\users.txt"
    }
}

score 3 · Accepted Answer · answered Nov 13 '15 at 13:39

3

PowerShell is your friend: Use PowerShell to parse saved Event logs

answered Nov 13 '15 at 13:39

Matthias Güntert

2,438
12
39
59

Just what I needed. I updated my question with the final script. – Mark Allison Nov 13 '15 at 16:24

How to filter Windows 2003 security log from file?

1 Answers1