Search code examples
powershell

get-winevent: add parts of extended data to csv-columns

I want to figure out which user, ip, WorkstationName is connecting remotely to a station. This could be seen in the eventlog as eventid 4624 with logontype 10 (remoteinteractive, such as RDP). When this case happens, I need to extract some data from the "message" field, but not all.

Get-WinEvent -FilterHashtable @{Path="c:\temp\raw_data\SavedSecurity.evtx";} |Where {($_.id -eq "4624" -and $_.properties[8].value -in 10)} |Select-Object -Property TimeCreated, Message |pause

I know I can get a lot of data with the provided code, also the remote-ip, remoteworkstationname, remoteuserid within the message field.

Here comes the challenge:

  • I only want some data from the message field:
TargetUserName testuser
TargetDomainName testlab.internal 
TargetLogonId 0xb6f45e 
LogonType 7 
WorkstationName testclientwin7 
IpAddress 127.0.0.1 
IpPort 64372

Message: Successful Login

How can I write them (only these fields, not the additional ones) to a CSV file , including headernames, the same as the selected data-items?

Solution

  • Any ideas how to write them (only this fields, not the additional ones) to a csv file with headernames the same as the selected data-items?

    Plenty!

    Here's the safest (although probably least obvious) - use an EventPropertySelector!

    Get-WinEvent -FilterHashtable @{Path="c:\temp\raw_data\SavedSecurity.evtx";} |Where {($_.id -eq "4624" -and $_.properties[8].value -in 10)} |%{
    $SelectorStrings = [string[]]@(
        'Event/EventData/Data[@Name="TargetUserName"]',
        'Event/EventData/Data[@Name="TargetDomainName"]',
        'Event/EventData/Data[@Name="TargetLogonId"]',
        'Event/EventData/Data[@Name="LogonType"]',
        'Event/EventData/Data[@Name="WorkstationName"]',
        'Event/EventData/Data[@Name="IpAddress"]',
        'Event/EventData/Data[@Name="IpPort"]'
    )
    $PropertySelector = [System.Diagnostics.Eventing.Reader.EventLogPropertySelector]::new($SelectorStrings)

    $UserName,$Domain,$LogonId,$LogonType,$ComputerName,$IPAddres,$Port = $_.GetPropertyValues($PropertySelector)

    New-Object psobject -Property @{
        Message      = $_.Message
        UserName     = $UserName
        Domain       = $Domain
        LogonId      = $LogonId
        LogonType    = $LogonType
        ComputerName = $ComputerName
        IPAddres     = $IPAddres
        Port         = $Port
        TimeCreated  = $_.TimeCreated
    }
}

    In the above code snippet, we use XPath location selectors to grab the relevant Data nodes from the Event's XML structure. If any of them don't exist, the corresponding variable will simply be an empty string