I’m wanting to pull the “Account Name: Person’s name” from the Message property under Get-Eventlog. After i pipe it i use the hash table below, but it pulls the all the property Message’s message. I tried using “\b” for boundaries but didn’t change. I am trying to learn regular expression, so not sure if I am misunderstanding the expressions meanings.
select @{n=‘Message’; e={$_.Message -replace "‘^(Account Name:.)$’,‘$1’}}
Thank you for any help
Eric,
Would you be able to attach a full example of the event log message (obfuscate any sensitive info) and the command line used to retrieve it?
Get-EventLog -LogName Security -InstanceId 4624 | select TimeGenerated, @{n=’Message’; e={$_.Message -replace “‘^(Account Name:.)$’,’$1′}} | format-list
sorry I thought you meant event cmd that i was using
Message : An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: SO-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
New Logon:
Security ID: S-1-5-21-2415982056-31499485-2897633832-1007
Account Name: Salamone
Account Domain: SO-PC
Logon ID: 0x1ec8b42
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x12ec
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: SCOO-PC
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is genera.....
There’s an easier way. Use the ReplacementStrings collection instead of the message property:
Get-EventLog -LogName Security -InstanceId 4624 -Newest 1 | Select-Object -Property TimeGenerated, @{Label='UserName';Expression={$_.ReplacementStrings[1]}}
Nice Mike PowerShell is soo powerful so one tend to forget the simplest of ways to use it!
That worked perfectly thank you.