3

I am trying to extract a specific line from the message output of a get-winevent cmdlet and haven't been able to find a way to do this (I could be searching incorrectly but am still learning more advanced scripting methods). What I am running is this:

Get-WinEvent -ComputerName $DC -FilterHashtable @{Logname='Security';Keywords='9007199254740992';Data=$userid} -MaxEvents 1 | Select Message | Format-List

Which will return with a message similiar to this (Changed some info to generic info):

Message : The computer attempted to validate the credentials for an account.
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    jdoe
Source Workstation:    Generic-Computername
Error Code:    0x0

I am attempting to create an easy way to find a computer someone last logged into for faster troubleshooting but I am unable to filter out only the Source Workstation line, I could just not have the correct syntax for a good search to find the results I am looking for but I have been searching for about a week now and haven't found anything close to what I am looking for, any help would be great!

Martin Brandl
  • 56,134
  • 13
  • 133
  • 172
Coding-Enthusiast
  • 35
  • 1
  • 8
  • Can you provide an example for `$userid` assigned to `Data` (to reproduce)? Also, can you clarify what you want to achieve? – Martin Brandl Mar 24 '16 at 14:49
  • Definitely, $userid would be something along the lines of jdoe, just a username that is in the data field of the event log which is allowing me to pull a log with that specific users username, I tried using regex as you had in your answer and this worked! As far as what I am trying to accomplish I am wanting an easy way to see what computer someone last logged into so that I know what computer I am trying to remote in to and assist a user, if you know of an easier or better way I am all ears :) – Coding-Enthusiast Mar 24 '16 at 17:29

1 Answers1

2

Im not sure what information you want to retrieve but im pretty sure there is a better way then using Get-WinEvent to obtain that information. However, if you just want to get the value of Source Workstation you can do that with a regex:

$event = Get-WinEvent `
    -ComputerName $DC `
    -FilterHashtable @{Logname='Security';Keywords='9007199254740992';Data=$userid} `
    -MaxEvents 1 `
    | Select -expand Message 

[regex]::Match($event, 'Source Workstation:\s*(.*)\s*').Groups[1].Value
Martin Brandl
  • 56,134
  • 13
  • 133
  • 172