RE: Powershell Eventlog Reporting

Michael B. Smith Thu, 24 May 2012 10:39:37 -0700

Oh. No. Not from there.

In the raw event log entry (which you can get from WMI), you'll see 
InsertionStrings, ReplacementStrings, and the Message. You can SOMETIMES get 
what you want form ReplacementStrings. But more often than not you will still 
be looking at painful regex's or just flat out string processing (which is what 
I normally do).


-----Original Message-----
From: Joseph L. Casale [mailto:[email protected]] 
Sent: Thursday, May 24, 2012 12:32 PM
To: NT System Admin Issues
Subject: RE: Powershell Eventlog Reporting

Sorry Michael,
The Message is a string, which makes for large capturing regex's, total pain...
I had hoped the Member|Account name was accessible from with the Message 
property...

An example output:

Get-WinEvent Security |?{ $_.Id -eq 4729 } |fl

TimeCreated  : 5/24/2012 9:40:16 AM
ProviderName : Microsoft-Windows-Security-Auditing
Id           : 4729
Message      : A member was removed from a security-enabled global group.
               
               Subject:
                   Security ID:        
S-1-5-21-2887164728-1639811974-4180998483-500
                   Account Name:        Administrator
                   Account Domain:        FOO
                   Logon ID:        0x332ab
               
               Member:
                   Security ID:        
S-1-5-21-2887164728-1639811974-4180998483-1109
                   Account Name:        CN=user,OU=1,OU=a,DC=foo,DC=local
               
               Group:
                   Security ID:        
S-1-5-21-2887164728-1639811974-4180998483-5135
                   Group Name:        Grp_Test
                   Group Domain:        FOO
               
               Additional Information:
                   Privileges:        -
________________________________________
From: Michael B. Smith [[email protected]]
Sent: Thursday, May 24, 2012 10:10 AM
To: NT System Admin Issues
Subject: RE: Powershell Eventlog Reporting

I don't understand what you are asking?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

RE: Powershell Eventlog Reporting

Reply via email to