$log = Get-Eventlog -LogName Security -before $endDate $4 = $log | Select-Object -first 1
$4 generates
PS C:> $4
Index Time EntryType Source InstanceID Message
41419 Aug 12 19:34 SuccessA… Microsoft-Windows… 4672 Special privileges assigned to new logon…
I want the text after 4672 “Special privileges assigned to new logon…”
When I attempt to use this method
$4.ReplacementStrings[0,1,2,3,4,5,6,7,8,9,10]
S-1-5-18
SYSTEM
NT AUTHORITY
0x3e7
SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
The line of text I would like is missing.
BUT
Below when I use this I see the text I want.
$4.Message
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
I will guess I am missing some basic simple thing that I am over looking. I have spent quite a bit of time trying to figure this out help would be greatly appreciated.
Ultimately this code will compile into a HTML document and I have a column called “Description” and that short text would be ideal.