Thursday, October 15, 2015

Powershell | Event Log Message content

Security Event Log Taken from 2003 Domain Controller
fixed with http://www.cwflynt.com/logFixer/
Filtered with Eventvwr on Windows 10 saved as evtx

Loaded into powershell and filtered on the message content.


#
# Eventlog filtering
#
$logdetail=Get-WinEvent -path .\filteredchanges.evtx
$results=@()

Foreach($event in $logdetail){
        $mess=$event.message -split "`n"
        $a=$Mess| select-string "Target Account Name"
        $a=$a.ToString().split(":")[1]
        $b=$mess | select-string "Don't Expire Password"
        $c=$mess | select-string "Logon Hours"
        $c=$c.ToString().split(":")[1]
        $d=$mess | select-string "Caller User Name"
        $d=$d.ToString().split(":")[1]

                        $tempObJ = "" | Select Name,Expired,Logon,Changetime,userid
                        $tempObJ.Name = $a
                        $tempObJ.ChangeTime = $event.TimeCreated
                        $tempObJ.Expired = $b
                        $tempObJ.Logon = $c
                        $tempObJ.userid = $d
                        $results+=$tempObJ
}
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)