get-winevent: working with properties

Question

I try to learn powershell to automate some daily tasks.

I try to figure out all fieldnames from the get-winevent function to understand what i need to do when i want to filter a result from a lot of eventid's with several conditions.

In this simple example i want all events 4625 and the events from 4624 but only if logontype is 2. The resulttable should only include the given fields (for now all fields, later on selected fields and one custom field). Additionaly i would like to mark local logins and remotelogins in a specific column with "local" or "remote" and network-data (IP, username, hostname).

Get-winevent -FilterHashtable @{Path="c:\temp\test.evtx";} |
Where-Object {$_.Id -eq 4624 -and $_.properties[8].value -in 2} 
-or
{$_.Id -eq 4625}| export-csv ($EventlogTempFolder+$_.basename + ".csv") -encoding UTF8 -NoTypeInformation -force

How can i get a list of all fields? From ID to all property-fields in the message-field?

Btw.: this code did not work as expected. sorry for that.

Answer 1

Your code

Where-Object {$_.Id -eq 4624 -and $_.properties[8].value -in 2} 
-or
{$_.Id -eq 4625}

From Get-Help Where-Object

Where-Object [-FilterScript] <ScriptBlock> [-InputObject <PSObject>] [<CommonParameters>]

...

Starting in Windows PowerShell 3.0, there are two different ways to construct a Where-Object 
command. Script block . You can use a script block to specify the property name, a comparison 
operator, and a property value. Where-Object returns all objects for which the script block 
statement is true.

For example, the following command gets processes in the Normal priority class, that is, 
processes where the value of the PriorityClass property equals Normal.

`Get-Process | Where-Object {$_.PriorityClass -eq "Normal"}`

Problem

The Where-Object CmdLet only accepts a single scriptblock (the bit in the {} braces)

Fix

Where-Object {
    ($_.Id -eq 4624 -and $_.properties[8].value -in 2)
    -or
    $_.Id -eq 4625
}