As a part of my security admin duties, I need to look through windows event logs on the domain controller for failed login attempts.
What I currently do is go to the security logs within windows event viewer and filter by Audit Failures. I have to do this on a daily basis. It is a bit of a cumbersome and tedious process for a simple task.
I would like to be able to use Powershell to pull out the information I need and export it to CSV so I can easily skim through the information and sort as needed.
As an example of what I was attempting, I tied the following:
Get-WinEvent -FilterHashtable @{ logname = 'Security'; id = 4771 } |
Export-Csv -NoType "c:\Output.csv"
The problem is, this output does now show the username, target IP, or port. When I look at one of the events, I see that these values can be found in the raw XML view (TargetUserName, IpAddress, IpPort) but I just cant figure out how to query those values to show up in the output. Does anyone know how this can be accomplished?
The values you are looking for are in the Properties property. Try this:
Get-WinEvent -FilterHashtable @{ logname = 'Security'; id = 4771 } | Select-Object TimeCreated,
@{ Name='TargetUserName'; Expression={$_.Properties[0].value}},
@{ Name='IpPort'; Expression={$_.Properties[7].value}},
@{ Name='IpAddress'; Expression={$_.Properties[6].value -replace "::ffff:"}}