locked
Parse Windows login event for specific details RRS feed

  • Question

  • Hi,

    I have a windows event that I want to search for in the event log using Powershell.  I've got the basics but can't find how to drill further into the details.  This is what I have so far:

    get-eventlog security | where{$_.eventid -eq 4624 -and $_.message -match "Logon Type:\s+3"}

    The problem is in the event details I have the following:

    An account was successfully logged on.

    Subject:
        Security ID:        NULL SID
        Account Name:        -
        Account Domain:        -
        Logon ID:        0x0

    Logon Type:            3

    New Logon:
        Security ID:        test\administrator
        Account Name:        administrator
        Account Domain:        test
        Logon ID:        0x318df67
        Logon GUID:        {0b843e34-532c-e4c2-9577-2ee19684f472}

    Process Information:
        Process ID:        0x0
        Process Name:        -

    Network Information:
        Workstation Name:    
        Source Network Address:    192.168.10.11
        Source Port:        51446

    How can I query for this information, as for example there are 2 instances of Security ID....

    Thanks

    James


    Alter De Ruine


    Monday, December 9, 2013 11:28 AM

Answers

  • The message you see is based on a template and several "replacement strings".  The indexes of these replacement strings in the array stay the same for a particular event ID, so for example, you could get the two Security IDs you mentioned like this:

    $event = get-eventlog security | 
             where{$_.eventid -eq 4624 -and $_.message -match "Logon Type:\s+3"} | 
             select -first 1
    
    "Subject Security ID: $($event.ReplacementStrings[0])"
    "New Logon Security ID: $($event.ReplacementStrings[4])"
    
    # List all of the replacement strings, along with their index.
    
    for ($i = 0; $i -lt $event.ReplacementStrings.Count; $i++)
    {
        "${i}: $($event.ReplacementStrings[$i])"
    }

    • Marked as answer by Yan Li_ Tuesday, December 17, 2013 12:27 PM
    Monday, December 9, 2013 12:55 PM
  • This blog post does not fully match your request but it shows how to deal with eventlog data in powershell and using the toxml method:

    http://www.normanbauer.com/2012/01/10/how-to-get-detailed-information-on-windows-boot-and-shutdown-performance-in-powershell/

    Basically you'll need something like the following code to start with:

    #Get events in security log with id 4624
    $items = Get-WinEvent -FilterHashtable @{logname="Security"; id=4624;}
    #Get first item as xml
    $xmlitem = [xml]$items[0].ToXml()
    
    #Get EventID
    $xmlitem.Event.System.EventID
    #Get logging computer
    $xmlitem.Event.System.Computer
    #Get computer
    $xmlitem.Event.EventData.Data | where-object {$_.Name -eq "SubjectUserName"}
    #Get account
    $xmlitem.Event.EventData.Data | where-object {$_.Name -eq "TargetUserName"}
    #Get logon type
    $xmlitem.Event.EventData.Data | where-object {$_.Name -eq "LogonType"}
    #Get ip address
    $xmlitem.Event.EventData.Data | where-object {$_.Name -eq "IpAddress"}
    #Get all data
    $xmlitem.Event.EventData.Data
    In your example the duplicyte Security IDs resolve to - I think - SubjectUserName and TargetUserName.

    

    


    • Edited by Norman Bauer Monday, December 9, 2013 1:15 PM
    • Marked as answer by Yan Li_ Tuesday, December 17, 2013 12:27 PM
    Monday, December 9, 2013 1:11 PM
  • The objects returned by Get-WinEvent have a "Properties" property which is basically identical to the ReplacementStrings property on objects returned by Get-EventLog.  You don't have to convert to XML, in this case.
    • Marked as answer by Yan Li_ Tuesday, December 17, 2013 12:27 PM
    Monday, December 9, 2013 1:21 PM

All replies

  • The message you see is based on a template and several "replacement strings".  The indexes of these replacement strings in the array stay the same for a particular event ID, so for example, you could get the two Security IDs you mentioned like this:

    $event = get-eventlog security | 
             where{$_.eventid -eq 4624 -and $_.message -match "Logon Type:\s+3"} | 
             select -first 1
    
    "Subject Security ID: $($event.ReplacementStrings[0])"
    "New Logon Security ID: $($event.ReplacementStrings[4])"
    
    # List all of the replacement strings, along with their index.
    
    for ($i = 0; $i -lt $event.ReplacementStrings.Count; $i++)
    {
        "${i}: $($event.ReplacementStrings[$i])"
    }

    • Marked as answer by Yan Li_ Tuesday, December 17, 2013 12:27 PM
    Monday, December 9, 2013 12:55 PM
  • This blog post does not fully match your request but it shows how to deal with eventlog data in powershell and using the toxml method:

    http://www.normanbauer.com/2012/01/10/how-to-get-detailed-information-on-windows-boot-and-shutdown-performance-in-powershell/

    Basically you'll need something like the following code to start with:

    #Get events in security log with id 4624
    $items = Get-WinEvent -FilterHashtable @{logname="Security"; id=4624;}
    #Get first item as xml
    $xmlitem = [xml]$items[0].ToXml()
    
    #Get EventID
    $xmlitem.Event.System.EventID
    #Get logging computer
    $xmlitem.Event.System.Computer
    #Get computer
    $xmlitem.Event.EventData.Data | where-object {$_.Name -eq "SubjectUserName"}
    #Get account
    $xmlitem.Event.EventData.Data | where-object {$_.Name -eq "TargetUserName"}
    #Get logon type
    $xmlitem.Event.EventData.Data | where-object {$_.Name -eq "LogonType"}
    #Get ip address
    $xmlitem.Event.EventData.Data | where-object {$_.Name -eq "IpAddress"}
    #Get all data
    $xmlitem.Event.EventData.Data
    In your example the duplicyte Security IDs resolve to - I think - SubjectUserName and TargetUserName.

    

    


    • Edited by Norman Bauer Monday, December 9, 2013 1:15 PM
    • Marked as answer by Yan Li_ Tuesday, December 17, 2013 12:27 PM
    Monday, December 9, 2013 1:11 PM
  • The objects returned by Get-WinEvent have a "Properties" property which is basically identical to the ReplacementStrings property on objects returned by Get-EventLog.  You don't have to convert to XML, in this case.
    • Marked as answer by Yan Li_ Tuesday, December 17, 2013 12:27 PM
    Monday, December 9, 2013 1:21 PM
  • Hi,

    Just checking any update here? If you need further assistance, please post back.

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Regards, Yan Li

    Monday, December 16, 2013 1:58 AM