-
-
Save KurtDeGreeff/c8da891659337f325214 to your computer and use it in GitHub Desktop.
Script to parse Windows login data from Forwarded Events.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$eventLogCollector= 'MYSERVER' | |
#XML Filter for Get-WinEvent | |
$eventFilter = @" | |
<QueryList> | |
<Query Id="0" Path="ForwardedEvents"> | |
<Select Path="ForwardedEvents">*[System[(EventID=4624 or EventID=4800 or EventID=4801 or EventID=4634)]]</Select> | |
</Query> | |
</QueryList> | |
"@ | |
Get-WinEvent -FilterXml $eventFilter -ComputerName $eventLogCollector | foreach { | |
$result = [xml] $_.ToXml() | |
$PSObject = New-Object PSObject | |
$output = "" | select SubjectUserSid,SubjectUserName,SubjectDomainName,SubjectLogonId,TargetUserSid,TargetUserName,TargetDomainName,TargetLogonId,LogonType,LogonProcessName,AuthenticationPackageName,WorkstationName,LogonGuid,TransmittedServices,LmPackageName,KeyLength,ProcessId,ProcessName,IpAddress,IpPort,SystemTimeZ,EventID,EventRecordID,Channel,ComputerName,SystemTimeZulu,SystemDateZulu | |
[datetime]$output.SystemTimeZ= $result.Event.System.TimeCreated.SystemTime | |
$output.SystemTimeZulu= ([datetime]$result.Event.System.TimeCreated.SystemTime -split " ")[1] | |
$output.SystemDateZulu= ([datetime]$result.Event.System.TimeCreated.SystemTime -split " ")[0] | |
$output.EventID= $result.Event.System.EventID | |
$output.EventRecordID = $result.Event.System.EventRecordID | |
$output.Channel = $result.Event.System.Channel | |
$output.ComputerName = $result.Event.System.Computer | |
#Build object from Event XML Data | |
$result.Event.EventData.Data | foreach { | |
$PSObject | Add-Member NoteProperty $_.Name $_."#text" | |
} | |
$output.SubjectUserSid= $PSObject.SubjectUserSid | |
$output.SubjectUserName= $PSObject.SubjectUserName | |
$output.SubjectDomainName = $PSObject.SubjectDomainName | |
$output.SubjectLogonId = $PSObject.SubjectLogonId | |
$output.TargetUserSid = $PSObject.TargetUserSid | |
$output.TargetUserName = $PSObject.TargetUserName | |
$output.TargetDomainName = $PSObject.TargetDomainName | |
$output.TargetLogonId = $PSObject.TargetLogonId | |
$output.LogonType = $PSObject.LogonType | |
$output.LogonProcessName = $PSObject.LogonProcessName | |
$output.AuthenticationPackageName = $PSObject.AuthenticationPackageName | |
$output.WorkstationName = $PSObject.WorkstationName | |
$output.LogonGuid = $PSObject.LogonGuid | |
$output.TransmittedServices = $PSObject.TransmittedServices | |
$output.LmPackageName = $PSObject.LmPackageName | |
$output.KeyLength = $PSObject.KeyLength | |
$output.ProcessId = $PSObject.ProcessId | |
$output.ProcessName = $PSObject.ProcessName | |
$output.IpAddress = $PSObject.IpAddress | |
$output.IpPort= $PSObject.IpPort | |
$output | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment