I am working on a Powershell script that will go through the Windows Security Logs and parse the the user logon events, so I can keep an audit trail of who is logging into each of the servers.
I have the Powershell script working to the point where its getting each individual unique logon event and exporting it to a CSV. The fields im exporting are RecordID, ID, TaskDisplayName, MachineName, TimeCreated, Message.
The issue I am having is, by default, the export to CSV takes the whole Event Log entry "Message" field and saves it to the CSV. There is a ALOT of text in here and all I really want is the user who logged on. If you view the Event Log in XML, this field is the "TargerUserName".
Is there a way to add an additional field to the CSV export and get the TargetUserName field extracted from the "Message" field? Once you run _Get-WinEvent, the XML format is gone and can't query those attributes.
Here is the code I have so far:
I have the Powershell script working to the point where its getting each individual unique logon event and exporting it to a CSV. The fields im exporting are RecordID, ID, TaskDisplayName, MachineName, TimeCreated, Message.
The issue I am having is, by default, the export to CSV takes the whole Event Log entry "Message" field and saves it to the CSV. There is a ALOT of text in here and all I really want is the user who logged on. If you view the Event Log in XML, this field is the "TargerUserName".
Is there a way to add an additional field to the CSV export and get the TargetUserName field extracted from the "Message" field? Once you run _Get-WinEvent, the XML format is gone and can't query those attributes.
Here is the code I have so far:
Code:
$EventLogQuery =@"
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='LogonType'] and (Data ='10')]]
and
*[EventData[Data[@Name='LogonGuid'] != '{00000000-0000-0000-0000-000000000000}']]
and
*[System[(EventID='4624')]]
</Select>
</Query>
</QueryList>
"@
Get-WinEvent -FilterXml $EventLogQuery | Select RecordId, Id, TaskDisplayName, MachineName, TimeCreated, Message | export-csv "C:\EventLogs\LogonAuditLog.csv"