How to Filter EventLog to get one log per a day - PowerShell

Question

I wrote powershell script to get where specific user was logon. But I want to get only one result per a day.

The script is working perfectly, but gives a lot result per day.

Here is my script:

$StartDate = Get-Date -Year 2019 -Month 12 -Day 01 
$computers = Get-ADComputer -SearchBase 'ou=XXX,dc=XXX,dc=org,dc=XX' -Filter "Name -like 'XXXX*'" 
foreach ($comp in $computers) { 
    $Computer = $comp.Name 
    Get-WinEvent -max 3 -Computername $Computer -FilterHashtable @{LogName='Security';ID='4624' ;StartTime=$StartDate } | 
    where {($.Id -eq '4624') -and ($.properties[8].value -eq 3) -and ($.properties[5].value -eq 'XXXXX')} |
    select-Object -Property TimeCreated, MachineName , @{ Name = 'TargetUserName'; Expression = { $.Properties[5].Value } }
}

The code is missing underscores on every `$_` automatic value and therefore should not run. After you fixed that and if you want just one result, end the `Select-Object` with `-First 1` — Theo, Dec 24 '19 at 14:28
hi the code working fine. i'm not looking for the last or one result. i want to get one result for each day. — Reuven B.S, Dec 25 '19 at 08:12
Sorry I misunderstood the desired output at first. I have edited my answer with new code to output one event per day. — Theo, Dec 25 '19 at 11:11

score 0 · Answer 1 · answered Dec 24 '19 at 14:35

Your fixed code is:

StartDate = Get-Date -Year 2019 -Month 12 -Day 01 
$computers = Get-ADComputer -SearchBase 'ou=XXX,dc=XXX,dc=org,dc=XX' -Filter "Name -like 'XXXX*'" 
foreach ($comp in $computers) { $Computer = $comp.Name Get-WinEvent -max 3 -Computername $Computer -FilterHashtable 
@{LogName='Security';ID='4624' ;StartTime=$StartDate } | where {($_.Id -eq '4624') -and ($_.properties[8].value -eq 3) -and ($._properties[5].value -eq 'XXXXX')} | select-Object -Property TimeCreated, MachineName , @{ Name = 'TargetUserName'; Expression = { $_.Properties[5].Value } } } -first 1

Note I added several underscores that were missing in the where-object and select-object cmdlets and for one result -first 1 after select-object is needed.

hi, that give my only one result. i want to get one result from every day from 12/1/19 until today. every day one result. thanks — Reuven B.S, Dec 25 '19 at 08:14

Theo · Accepted Answer · 2019-12-26T10:08:41.063

As commented, the code is missing the underscores for the $_ automatic variable.
Also, I would advise to use .Date on the startDate to omit the time part, effectively settting it to midnight.

# set the startdate, remove the time part so it wil be the date at midnight
$StartDate = (Get-Date -Year 2019 -Month 12 -Day 01 ).Date
$LogonUser = 'XXXXX'
$computers = Get-ADComputer -SearchBase 'ou=XXX,dc=XXX,dc=org,dc=XX' -Filter "Name -like 'XXXX*'" 

foreach ($comp in $computers) { 
    $Computer =  $comp.Name 
    Get-WinEvent -Computername $Computer -FilterHashtable @{LogName='Security';ID=4624;StartTime=$StartDate } | 
    Where-Object {($_.Properties[8].Value -eq 3) -and ($_.Properties[5].Value -eq $LogonUser) } |
    Select-Object -Property TimeCreated, MachineName, 
                            @{ Name = 'TargetUserName'; Expression = { $_.Properties[5].Value } } |
    Group-Object @{Expression = {$_.TimeCreated.Date}} | ForEach-Object { 
        $_.Group | Select-Object -First 1
    }

For those wondering about the $_.Properties:

$_.Properties[5].Value --> TargetUserName
$_.Properties[8].Value --> LogonType. Value = 3 --> Network

See: Audit logon events

thanks for your answer but it's still keep giving me only one reuslt (the last one). — Reuven B.S, Dec 26 '19 at 09:58
@ReuvenB.S ..not on my machine. However, I have taken out the `-MaxEvents 100` because maybe that wasn't enough. Otherwise try removing the `-and ($_.Properties[5].Value -eq $LogonUser)` and see what you get. — Theo, Dec 26 '19 at 10:10

How to Filter EventLog to get one log per a day - PowerShell

2 Answers2