Home > Software design >  How to get nested objects in Get-EventLog output?
How to get nested objects in Get-EventLog output?

Time:03-10

I want to get Client Address from logs. How I can do it?

Command that I use

Get-EventLog -LogName Security -After (date).AddSeconds(-300) -Before (date) | Where-Object -Property InstanceId -Match "4769" | Where-Object -Property ReplacementStrings -Contains $name | fl

enter image description here

CodePudding user response:

$events=Get-EventLog -LogName Security -After (date).AddSeconds(-300) -Before (date) | Where-Object -Property InstanceId -Match "4769" | Where-Object -Property ReplacementStrings -Contains $name | fl

$xEvt=[xml]$events[0].ToXml()

$message= ($xEvt.Event.EventData.Data | where { $_.Name -eq 'Network Information' }).'#text'

CodePudding user response:

You should use the Get-WinEvent cmdlet rather than Get-EventLog.

Below code should do what you want:

$name      = 'someoneinparticular'
$endTime   = (Get-Date)
$startTime = $endTime.AddSeconds(-300)

# using 'userid='USERSID' doesn't seem to work, but you can use 'data='USERSID' or 'data='USERNAME'
$filter    = @{LogName='Security';ID=4769;StartTime=$startTime;EndTime=$endTime; Data=$name}

Get-WinEvent -FilterHashtable $filter | ForEach-Object {
        # convert the event to XML and grab the Event node
        $eventXml   = ([xml]$_.ToXml()).Event
        $userName   = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetUserName' }).'#text'
        $userDomain = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetDomainName' }).'#text'
        $IpAddress  = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'IpAddress' }).'#text'
        $IpPort     = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'IpPort' }).'#text'
        # output the properties you need
        [PSCustomObject]@{
            UserDomain = $userDomain
            UserName   = $userName
            IpAddress  = $IpAddress
            IpPort     = $IpPort
            Date       = [DateTime]$eventXml.System.TimeCreated.SystemTime
        }
    }

If adding the username to the filter does not provide the results you need (maybe because you enter only a patrial username), you can do this instead:

$name      = 'someoneinparticular'
$endTime   = (Get-Date)
$startTime = $endTime.AddSeconds(-300)
$filter    = @{LogName='Security';ID=4769;StartTime=$startTime;EndTime=$endTime}

Get-WinEvent -FilterHashtable $filter | ForEach-Object {
        # convert the event to XML and grab the Event node
        $eventXml   = ([xml]$_.ToXml()).Event
        $userName   = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetUserName' }).'#text'
        if ($userName -like "*$name*") {
            $userDomain = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetDomainName' }).'#text'
            $IpAddress  = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'IpAddress' }).'#text'
            $IpPort     = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'IpPort' }).'#text'
            # output the properties you need
            [PSCustomObject]@{
                UserDomain = $userDomain
                UserName   = $userName
                IpAddress  = $IpAddress
                IpPort     = $IpPort
                Date       = [DateTime]$eventXml.System.TimeCreated.SystemTime
            }
        }
    }
  • Related