0

i want to figure out which user, ip, workstationname connects remotly to a station. This could be seen in the eventlog eventid 4624 logontype 10 (remoteinteractive, such as rdp). When this case happens, i need some data from the message field, but only some not all. 

Get-WinEvent -FilterHashtable @{Path="c:\temp\raw_data\SavedSecurity.evtx";} |Where {($_.id -eq "4624" -and $_.properties[8].value -in 10)} |Select-Object -Property TimeCreated, Message |pause

I know i can get a lot of data with the provided code, also the remote-ip, remoteworkstationname, remoteuserid withhin the message field.

Here comes the challenge: i only want some data from the message field:

TargetUserName testuser
TargetDomainName testlab.internal 
TargetLogonId 0xb6f45e 
LogonType 7 
WorkstationName testclientwin7 
IpAddress 127.0.0.1 
IpPort 64372

Message: Successful Login

Any ideas how to write them (only this fields, not the additional ones) to a csv file with headernames the same as the selected data-items?

thanks

peter

Mathias R. Jessen
  • 157,619
  • 12
  • 148
  • 206
Peter Core
  • 193
  • 1
  • 2
  • 16

1 Answers1

2

Any ideas how to write them (only this fields, not the additional ones) to a csv file with headernames the same as the selected data-items?

Plenty!

Here's the safest (although probably least obvious) - use an EventPropertySelector!

Get-WinEvent -FilterHashtable @{Path="c:\temp\raw_data\SavedSecurity.evtx";} |Where {($_.id -eq "4624" -and $_.properties[8].value -in 10)} |%{
    $SelectorStrings = [string[]]@(
        'Event/EventData/Data[@Name="TargetUserName"]',
        'Event/EventData/Data[@Name="TargetDomainName"]',
        'Event/EventData/Data[@Name="TargetLogonId"]',
        'Event/EventData/Data[@Name="LogonType"]',
        'Event/EventData/Data[@Name="WorkstationName"]',
        'Event/EventData/Data[@Name="IpAddress"]',
        'Event/EventData/Data[@Name="IpPort"]'
    )
    $PropertySelector = [System.Diagnostics.Eventing.Reader.EventLogPropertySelector]::new($SelectorStrings)

    $UserName,$Domain,$LogonId,$LogonType,$ComputerName,$IPAddres,$Port = $_.GetPropertyValues($PropertySelector)

    New-Object psobject -Property @{
        Message      = $_.Message
        UserName     = $UserName
        Domain       = $Domain
        LogonId      = $LogonId
        LogonType    = $LogonType
        ComputerName = $ComputerName
        IPAddres     = $IPAddres
        Port         = $Port
        TimeCreated  = $_.TimeCreated
    }
}

In the above code snippet, we use XPath location selectors to grab the relevant Data nodes from the Event's XML structure. If any of them don't exist, the corresponding variable will simply be an empty string

Mathias R. Jessen
  • 157,619
  • 12
  • 148
  • 206
  • thank you @matthias R. Jenssen, i tried your code snipped, which works exept the following: a lot of Exeptions `Exception setting "GetPropertyValues": "Cannot set the Value property for PSMemberInfo object of type "System.Management.Automation.PSMethod"." At line:13 char:75 + ... mputerName,$IPAddres,$Port = $_.GetPropertyValues = $PropertySelector` and the Message has all the garbage i dont want. I need only the first sentence. "An Account logged on." and not the rest of the message. – Peter Core Jan 31 '18 at 12:19
  • @PeterCore Sorry, there was a typo (double assignment) in the script, please try again no wthat I've updated it – Mathias R. Jessen Jan 31 '18 at 12:22
  • @matthias R. Jenssen, nearly perfect, thank you. just export to csv only fills the first column, i try to fix that. nice solution. – Peter Core Jan 31 '18 at 14:29