Windows-Online-support

Anyone who has had to monitor failed log on attempts on a server know how painful it is to look at Event Log. Even more frustrating when you need to export your findings for a report (which recently I had to do as our external RDS was being brute forced).

Like most people I tried using the export feature in event log console saved it to a .CSV file. The problem is it provides little detail and no use for report writing. I therefore came across a really useful PowerShell script to export all the data needed.

The script below will export an Event Security with the Audit code 4625 to location c:\logs\security.

$DT = [DateTime]::Now.AddDays(-1)
$logName = '{0}{1}_security4625_log_{2}.csv' -f "c:\logs\security\",
 $DT.tostring("MM-dd-yyyy"), $env:Computername
 
Get-EventLog -LogName 'Security' `
 -InstanceId 4625 `
 -After $DT |
 Select-Object @{
  Name='TargetUserName'
  Expression={$_.ReplacementStrings[5]}
 },
 @{
  Name='WorkstationName'
  Expression={$_.ReplacementStrings[1] -replace '\$$'}
 },
 @{
  Name='IpAddress'
  Expression={$_.ReplacementStrings[-2]}
 },
 @{
  Name='IpPort'
  Expression={$_.ReplacementStrings[-5]}
 } |
 Export-Csv -Path $logName

Share this

Leave a Reply

Copy Protected by Chetan's WP-Copyprotect.