question

Bonus12 avatar image
0 Votes"
Bonus12 asked LeonLaude edited

Event viewer security log

Hi ,

I'm trying to query Event viewer security log for an event that has an object type "Computer". can't find the object type property anywhere. any idea please ?

Get-WinEvent -LogName security | Select-Object -Property *

windows-server-powershell
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

@Bonus12 That's what the editing in MS Q&A does when it spots a "$" followed by a "" -- it removes the "" when code is posed as text. Using the "Code Sample" avoids that. BTW the same problem existed on the "Add-Member" line.

Here's what the code should look like:

 $ArrayList = New-Object System.Collections.ArrayList
 Get-WinEvent -logname security -FilterXPath "*[System[EventID=4907]]" -MaxEvents 10 | 
     ForEach-Object{
         $XML = [xml]$_.toXml()
         $PsObject = New-Object psobject
         $XML.Event.EventData.Data | 
             ForEach-Object{
                 $PsObject | 
                     Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
             }
         $ArrayList.add($PsObject) | out-null
     }
    
 $ArrayList | Select-Object *
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeonLaude avatar image
0 Votes"
LeonLaude answered LeonLaude edited

Hi @Bonus12,

This post describes how you can obtain the Object Type:
https://stackoverflow.com/questions/54406245/how-to-get-powershell-get-winevent-security-message-access-mask-that-mat

From the above link I modified it as an example on how to get a specific event ID's Object Type:

 $ArrayList = New-Object System.Collections.ArrayList
 Get-WinEvent -logname security -FilterXPath "*[System[EventID=4907]]" -MaxEvents 10 | %{
 $XML = [xml]$_.toXml()
 $PsObject =  New-Object psobject
 $XML.Event.EventData.Data | %{
          $PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
       }
       $ArrayList.add($PsObject) | out-null
     }
        
    $ArrayList | Select *

Example output:

105849-objecttype.png

You can modify the script as per your own needs.


If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!


Best regards,
Leon


objecttype.png (11.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you @LeonLaude , but when I run it I get an error at line 3 char:13
unexpected token '$.toxml' in expression or statement.

I think you meant $_.toxml()

0 Votes 0 ·

I thought I had put the code in a "code sample", but now I've modified it to reflect better.

0 Votes 0 ·