Grouping on part of Windows Event message text

tsame · January 14, 2019, 8:15am

Hello. Is it possible to group by part of the message content of Windows events?

Basically I would like to group on a certain property (Image) which is located in the event message of a number of Sysmon events. I tried using regex to group by ‘Image (.*)\s’ but that did not work as below:

Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational'} | group {$_.Message -like '*Image: (.*)\s*'}

Is there a way that I can I group on all combinations of “Image: <some text>” which are located in the event’s message?

system · January 14, 2019, 8:17am

Might be worth mentioning - like isn’t quite Regex. You seem to have a bit of a mix of regex and wildcard there - -like accepts ‘’ as a wildcard character. You could try using "-match '.Image: (.)\s’", which may work?

js2010 · January 14, 2019, 10:34am

I believe you can get elements of the message from the event data and system data xml as discussed here: Could Someone Please Write a RegEx For Me ?

fullenw1 · January 15, 2019, 3:27pm

I would first filter events with Where-Object and then the grouping would be easier to do

Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational'} |
    Where-Object Message -Match '.*Image: (.*)\s.*' |
    Group-Object -Property Message

Topic		Replies	Views
Extracting a String using Regex PowerShell Help	6	161	May 28, 2014
Search Application event with a specific word PowerShell Help	22	287	March 3, 2022
Parsing event log message data PowerShell Help	3	127	August 26, 2015
Extracting and grouping text from file PowerShell Help	11	484	July 29, 2021
Parsing EventLog Message PowerShell Help	2	181	May 11, 2015

Grouping on part of Windows Event message text

Related Topics