I have the following command which gives the information I need but I need to filter it a little further:
Get-EventLog -LogName Security -ErrorAction SilentlyContinue | Select TimeWritten, ReplacementStrings | Export-Csv output.csv
This give many entries such as this:
09/11/2012 08:09:27 {S-1-5-18, SYSTEM, NT AUTHORITY, 0x3e7...}
I want to remove any entry in ReplacementStrings that starts with '{S-1-5' but my attempts to use Where-Object and -notlike fail to make any difference!
The other problem I have is that without the Export-Csv output.csv added it displays on screen fine, but with that it writes to the file like this:
"09/11/2012 09:22:05","System.String[]"
Get-EventLog -LogName Security -ErrorAction SilentlyContinue |
Select TimeWritten, @{name='ReplacementStrings';Expression={ $_.ReplacementStrings -join ';'}} |
where {$_.ReplacementStrings -notmatch '^S-1-5'} | Export-Csv output.csv