locked
How to get only specific line from windows event message. RRS feed

  • Question

  • How to get only specific line from windows event viewer message.  

    get-winevent -logname security | where { $_.Id -eq "4624"}| select message

    From the command  i am getting too many parameters under message, but i want get only "User:" line.

    Output:

    "Remote Desktop Services: Session logon 
    succeeded:                                                                                                                                          
    User: abc\name               
    Session ID: 2                          
    Source Network Address: LOCAL"        

    Note: This is not exact event id and the message. My query is about how to get only particular line output from event viewer message



    • Edited by Partha1012 Tuesday, February 13, 2018 6:00 PM
    Tuesday, February 13, 2018 5:59 PM

Answers

  • All strings in the message body are available as parameters in the properties of the message.  No two providers supply the same schema so it is provider specific.

    $e = get-winevent -FilterHashtable @{logname='security';id=4624} -MaxEvents 1
    $e.Properties[5]


    \_(ツ)_/


    Wednesday, February 14, 2018 1:42 AM

All replies

  • Looks like that's a string, and you'd have to write up your own regular expression.

    Alternatively, this uses get-eventlog and there's seems to be a trick to pull that data:

    https://community.spiceworks.com/topic/598706-parsing-the-message-field-in-security-event-log-to-pull-the-username

    Wednesday, February 14, 2018 1:23 AM
  • All strings in the message body are available as parameters in the properties of the message.  No two providers supply the same schema so it is provider specific.

    $e = get-winevent -FilterHashtable @{logname='security';id=4624} -MaxEvents 1
    $e.Properties[5]


    \_(ツ)_/


    Wednesday, February 14, 2018 1:42 AM
  • Thanks Jrv, but i'm getting below error

    Cannot index into a null array.
    At line:1 char:1
    + $et.properties[5]
    + ~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : NullArray

    Wednesday, February 14, 2018 6:15 AM
  • $e = get-winevent -FilterHashtable @{logname='security';id=4624} -MaxEvents 1
    $e.Properties[5]


    \_(ツ)_/

    • Proposed as answer by jrv Wednesday, February 14, 2018 7:05 AM
    Wednesday, February 14, 2018 6:23 AM
  • I got it, but i'm getting output of single event only. I want the same result for entire output.

    Fyi, maxevents i have checked with 100 and also removed and checked. 

    For ex: Here "$e = get-winevent -FilterHashtable @{logname='security';id=4624}" im getting around 100 logs but when im checking with "$e.Properties[5]" i'm getting only the output of single log

    Wednesday, February 14, 2018 6:58 AM
  • That is why you need to learn PowerShell.

    Get all of the events by removing the 'MaxEvents" and pipe to a foreach-object.  You can also use a calculated select statement.

    You asked how to get a specific value from the message.  The question has been answered.  If you have a new question then please start a new question.


    \_(ツ)_/

    Wednesday, February 14, 2018 7:05 AM