I need help on completing a PowerShell script in which I can get specific Security Event Logs and export it to CSV file. Currently, I have this line,
Get-EventLog -LogName Security 4720,4722,4725 -After ((Get-Date).AddDays(-1)) | Export-CSV "C:\EventLogs.csv"
This does get the security events that i want to get. However, the information it provide is incomplete. It does not include these 2 in the output,
Is there a way to include these 2 above?
I was told that Get-WinEvent is better suited to do this but i am fairly new to PowerShell scripting so I would really appreciate a little help. Thank you
Generally, Export-Csv will:
In your case, however, it sounds like the information of interest may be contained inside the type's Message property.
Thus, you must use an intermediate Select-Object call with a carefully crafted hashtable in order to extract the information of interest as separate properties that Export-Csv will then export:
Here's an example that extracts the account names from the Message property and exports them as separate columns:
Get-EventLog -LogName Security 4720,4722,4725 -After ((Get-Date).AddDays(-1)) |
Select-Object EventId, Time, @{
n='AccountName';
e={ ($_.message -replace '\n', ' ') -replace '.*?account name:\t+([^\s]+).*', '$1' }
}, @{
n='TargetAccount';
e={ ($_.message -replace '\n', ' ') -replace '.*account name:\t+([^\s]+).*', '$1' }
} | Export-Csv 'C:\EventLogs.csv'
Note how the first regex passed to -replace is non-greedy (.*?), which means that the first occurrence will be matched, whereas the second one is greedy (just .*), which means that the last occurrence will be matched.
The extra step of replacing line breaks with spaces is necessary, because -replace apparently invariably matches line by line.