3

I am trying to extract a specific line from the message output of a get-winevent cmdlet and haven't been able to find a way to do this (I could be searching incorrectly but am still learning more advanced scripting methods). What I am running is this:

Get-WinEvent -ComputerName $DC -FilterHashtable @{Logname='Security';Keywords='9007199254740992';Data=$userid} -MaxEvents 1 | Select Message | Format-List

Which will return with a message similiar to this (Changed some info to generic info):

Message : The computer attempted to validate the credentials for an account.
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    jdoe
Source Workstation:    Generic-Computername
Error Code:    0x0

I am attempting to create an easy way to find a computer someone last logged into for faster troubleshooting but I am unable to filter out only the Source Workstation line, I could just not have the correct syntax for a good search to find the results I am looking for but I have been searching for about a week now and haven't found anything close to what I am looking for, any help would be great!

Improve this question
2
  • Can you provide an example for $userid assigned to Data (to reproduce)? Also, can you clarify what you want to achieve? Commented Mar 24, 2016 at 14:49
  • Definitely, $userid would be something along the lines of jdoe, just a username that is in the data field of the event log which is allowing me to pull a log with that specific users username, I tried using regex as you had in your answer and this worked! As far as what I am trying to accomplish I am wanting an easy way to see what computer someone last logged into so that I know what computer I am trying to remote in to and assist a user, if you know of an easier or better way I am all ears :) Commented Mar 24, 2016 at 17:29

1 Answer 1

Reset to default
2

Im not sure what information you want to retrieve but im pretty sure there is a better way then using Get-WinEvent to obtain that information. However, if you just want to get the value of Source Workstation you can do that with a regex:

$event = Get-WinEvent `
    -ComputerName $DC `
    -FilterHashtable @{Logname='Security';Keywords='9007199254740992';Data=$userid} `
    -MaxEvents 1 `
    | Select -expand Message 

[regex]::Match($event, 'Source Workstation:\s*(.*)\s*').Groups[1].Value
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.