How to get nested objects in Get-EventLog output?

Question

I want to get Client Address from logs. How I can do it?

Command that I use

Get-EventLog -LogName Security -After (date).AddSeconds(-300) -Before (date) | Where-Object -Property InstanceId -Match "4769" | Where-Object -Property ReplacementStrings -Contains $name | fl

By the looks of it, it is just raw text so you might need to parse it your self. Confirm the type by calling the GetType() method on the message object - (Get-EventLog -LogName Security -After (date).AddSeconds(-300) -Before (date) | Where-Object -Property InstanceId -Match "4769" | Where-Object -Property ReplacementStrings -Contains $name).Message.gettype() — Otter
– Otter, Commented Mar 8, 2022 at 12:46

Theo · Accepted Answer · 2022-03-09 15:52:23Z

You should use the Get-WinEvent cmdlet rather than Get-EventLog.

Below code should do what you want:

$name      = 'someoneinparticular'
$endTime   = (Get-Date)
$startTime = $endTime.AddSeconds(-300)

# using 'userid='USERSID' doesn't seem to work, but you can use 'data='USERSID' or 'data='USERNAME'
$filter    = @{LogName='Security';ID=4769;StartTime=$startTime;EndTime=$endTime; Data=$name}

Get-WinEvent -FilterHashtable $filter | ForEach-Object {
        # convert the event to XML and grab the Event node
        $eventXml   = ([xml]$_.ToXml()).Event
        $userName   = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetUserName' }).'#text'
        $userDomain = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetDomainName' }).'#text'
        $IpAddress  = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'IpAddress' }).'#text'
        $IpPort     = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'IpPort' }).'#text'
        # output the properties you need
        [PSCustomObject]@{
            UserDomain = $userDomain
            UserName   = $userName
            IpAddress  = $IpAddress
            IpPort     = $IpPort
            Date       = [DateTime]$eventXml.System.TimeCreated.SystemTime
        }
    }

If adding the username to the filter does not provide the results you need (maybe because you enter only a patrial username), you can do this instead:

$name      = 'someoneinparticular'
$endTime   = (Get-Date)
$startTime = $endTime.AddSeconds(-300)
$filter    = @{LogName='Security';ID=4769;StartTime=$startTime;EndTime=$endTime}

Get-WinEvent -FilterHashtable $filter | ForEach-Object {
        # convert the event to XML and grab the Event node
        $eventXml   = ([xml]$_.ToXml()).Event
        $userName   = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetUserName' }).'#text'
        if ($userName -like "*$name*") {
            $userDomain = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetDomainName' }).'#text'
            $IpAddress  = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'IpAddress' }).'#text'
            $IpPort     = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'IpPort' }).'#text'
            # output the properties you need
            [PSCustomObject]@{
                UserDomain = $userDomain
                UserName   = $userName
                IpAddress  = $IpAddress
                IpPort     = $IpPort
                Date       = [DateTime]$eventXml.System.TimeCreated.SystemTime
            }
        }
    }

Narayana Lvsl · Accepted Answer · 2022-03-08 14:42:44Z

0

$events=Get-EventLog -LogName Security -After (date).AddSeconds(-300) -Before (date) | Where-Object -Property InstanceId -Match "4769" | Where-Object -Property ReplacementStrings -Contains $name | fl

$xEvt=[xml]$events[0].ToXml()

$message= ($xEvt.Event.EventData.Data | where { $_.Name -eq 'Network Information' }).'#text'

answered Mar 8, 2022 at 14:42

Narayana Lvsl

3832 silver badges11 bronze badges

Collectives™ on Stack Overflow

How to get nested objects in Get-EventLog output?

2 Answers 2

Comments

Comments

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Comments

Comments

Related