I want to parse some keywords for below event id message. how can I do that ?

Get-WinEvent -FilterHashtable @{LogName='System';ID='10036'} -MaxEvents 5 | fl  TimeCreated,Message

TimeCreated : 6/22/2022 9:41:24 AM
Message     : The server-side authentication level policy does not allow the user CONTOSO\user01 SID (S-1-5-21-609545082-2795152396-2074981628-18664) from address 
              10.223.13.11 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

EVENT ID 10036 Message :

The server-side authentication level policy does not allow the user CONTOSO\user01 SID (S-1-5-21-609545082-2795152396-2074981628-18664) from address 10.223.13.11 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

My desired output :

User;Address
CONTOSO\user01;10.223.13.11
CONTOSO\user31;10.222.13.34

CodePudding user response：

I don't have any of those events on my system, so couldn't properly test this, but it should get you what you want:

Get-WinEvent -FilterHashtable @{LogName='System';ID='10036'} -MaxEvents 5 |
    ForEach-Object {
        if($_.message -match 'user (?<user>[\w\\] ) .  address (?<address>[\d \.] ). ') {
            [PsCustomObject]@{
                TimeCreated = $_.TimeCreated
                User        = $Matches.user
                Address     = $Matches.address
            }
        }
    }

This outputs a custom object for each event entry. In table format, it will look like this:

TimeCreated            User            Address
-----------            ----            -------
6/22/2022 9:41:24 AM   CONTOSO\user01  10.223.13.11
6/22/2022 10:30:16 AM  CONTOSO\user31  10.222.13.34

If you want it in the CSV format you mention, append this after the final curly bracket: | ConvertTo-Csv -Delimiter ';'. Drop TimeCreated = $_.TimeCreated from the custom object, if you really don't want it.