Here is a small powershell command that will extract the latest events of type "logon" or event ID 4624 with their logontype and the TargetUserName.
get-eventlog -LogName Security -instanceID 4624 -newest 100 | %{ $arrMSG = $_.Message -Split "`n"; $LogonType = $arrMSG[8]; $TargetUserName = $arrMSG[12]; Add-Member -MemberType NoteProperty -Name LogonType -Value $LogonType -InputObject $_; Add-Member -MemberType NoteProperty -Name TargetUserName -Value $TargetUserName -InputObject $_; $_ | select TimeGenerated, InstanceID, LogonType, TargetUserName} | ft -AutoSize -wrap
Info on the logon types and their meaning can be found on the web , i.e.: here.
The same can also be achieved using WMI and XML but in this case I opted to split the Message property into an array and access the data by row number. Here is a discussion on Technet regarding using WMI instead.
No comments:
Post a Comment