0

I am trying to create a script that pulls failed log on attempts for certain events in the past 24 hours but I cant figure out how to pull the account information out. User is Null all the time so info is blank BUT when I look in the general tab I can see "Account Information".

I would like to pull and add what it shows in the XML view under "event data" which is TargetUserName. How can I get this done? What I have so far works fine but I need the username info and what my script pulls is always blank.

System - windows server 2008 R2 Log I am pulling from is security log with event ID's 4625,4768,4771,4772 for the past 24 hours.

My code:

get-eventlog Security 4625,4768,4771,4772 -after ((get-date).addDays(-1))| export-csv

MJT
  • 13
  • 2
  • 4

2 Answers2

0

I think you'll have to change this around because each event has different messages, but if I try to fail a login, I can get the username from event 4776 like this:

# Get the most recent event 4776
$event = Get-EventLog -LogName Security -InstanceId 4776 -newest 1

# Pull the "Logon Account: testuser" text from the event log message
$usernameMatch = $event.Message -match 'Logon Account:\s+(?<account>.*)'

# Use the magic variable $matches which gets created by -match
if ($usernameMatch) {
    write-output "Someone tried to logon as the user $matches['account']"
}

Otherwise, I think you can get the XML message using this:

$event = Get-WinEvent -FilterHashtable @{id=4776} -LogName Security -maxevent 1
$event.ToXML()
TessellatingHeckler
  • 27,511
  • 4
  • 48
  • 87
0

@Peter-core appears to know how to accomplish this without needing to parse and search the message body and without converting to XML. Use the following to find that the extended fields (part of template?) for each event:

(Get-WinEvent -ListProvider Microsoft-Windows-Security-Auditing).Events|Where-object{@(4625,4768,4771,4772) -contains $_.Id}

Use get-winevent to get the events, you can use xpath to filter data more quick (only return events you are interested in to start with), or you can filter them after they return using where-object. Xpath is better option for larger number of devices, eventlogs, or events, but I hate trying to write one.

Get-WinEvent -log Security|Where-object{$_.TimeCreated -gt ((get-date).addDays(-1)) -and @(4625,4768,4771,4772) -contains $_.Id}

From there you can try and implemnt what @Peter-Core wrote. I can't make it work for myself, but the coding looks sound.

Michael Fisher
  • 25
  • 6