KurtDeGreeff/Get-WindowsLogonEvents.ps1

## Get-WindowsLogonEvents.ps1
$eventLogCollector= 'MYSERVER'

#XML Filter for Get-WinEvent
$eventFilter = @"
<QueryList>
  <Query Id="0" Path="ForwardedEvents">
    <Select Path="ForwardedEvents">*[System[(EventID=4624 or EventID=4800 or EventID=4801 or EventID=4634)]]</Select>
  </Query>
</QueryList>
"@

Get-WinEvent -FilterXml $eventFilter -ComputerName $eventLogCollector  | foreach {
    $result = [xml] $_.ToXml()

    $PSObject = New-Object PSObject
    $output = "" | select SubjectUserSid,SubjectUserName,SubjectDomainName,SubjectLogonId,TargetUserSid,TargetUserName,TargetDomainName,TargetLogonId,LogonType,LogonProcessName,AuthenticationPackageName,WorkstationName,LogonGuid,TransmittedServices,LmPackageName,KeyLength,ProcessId,ProcessName,IpAddress,IpPort,SystemTimeZ,EventID,EventRecordID,Channel,ComputerName,SystemTimeZulu,SystemDateZulu

    [datetime]$output.SystemTimeZ= $result.Event.System.TimeCreated.SystemTime
    $output.SystemTimeZulu= ([datetime]$result.Event.System.TimeCreated.SystemTime -split " ")[1]
    $output.SystemDateZulu= ([datetime]$result.Event.System.TimeCreated.SystemTime -split " ")[0]
    $output.EventID= $result.Event.System.EventID
    $output.EventRecordID = $result.Event.System.EventRecordID
    $output.Channel = $result.Event.System.Channel
    $output.ComputerName = $result.Event.System.Computer

        #Build object from Event XML Data
        $result.Event.EventData.Data  | foreach {
            $PSObject | Add-Member NoteProperty $_.Name $_."#text"
        }

    $output.SubjectUserSid= $PSObject.SubjectUserSid
    $output.SubjectUserName= $PSObject.SubjectUserName
    $output.SubjectDomainName = $PSObject.SubjectDomainName
    $output.SubjectLogonId = $PSObject.SubjectLogonId
    $output.TargetUserSid = $PSObject.TargetUserSid
    $output.TargetUserName = $PSObject.TargetUserName
    $output.TargetDomainName = $PSObject.TargetDomainName
    $output.TargetLogonId = $PSObject.TargetLogonId
    $output.LogonType = $PSObject.LogonType
    $output.LogonProcessName = $PSObject.LogonProcessName
    $output.AuthenticationPackageName = $PSObject.AuthenticationPackageName
    $output.WorkstationName = $PSObject.WorkstationName
    $output.LogonGuid = $PSObject.LogonGuid
    $output.TransmittedServices = $PSObject.TransmittedServices
    $output.LmPackageName = $PSObject.LmPackageName
    $output.KeyLength = $PSObject.KeyLength
    $output.ProcessId = $PSObject.ProcessId
    $output.ProcessName = $PSObject.ProcessName
    $output.IpAddress = $PSObject.IpAddress
    $output.IpPort= $PSObject.IpPort

    $output
}
	$eventLogCollector= 'MYSERVER'

	#XML Filter for Get-WinEvent
	$eventFilter = @"
	<QueryList>
	<Query Id="0" Path="ForwardedEvents">
	<Select Path="ForwardedEvents">*[System[(EventID=4624 or EventID=4800 or EventID=4801 or EventID=4634)]]</Select>
	</Query>
	</QueryList>
	"@

	Get-WinEvent -FilterXml $eventFilter -ComputerName $eventLogCollector \| foreach {
	$result = [xml] $_.ToXml()

	$PSObject = New-Object PSObject
	$output = "" \| select SubjectUserSid,SubjectUserName,SubjectDomainName,SubjectLogonId,TargetUserSid,TargetUserName,TargetDomainName,TargetLogonId,LogonType,LogonProcessName,AuthenticationPackageName,WorkstationName,LogonGuid,TransmittedServices,LmPackageName,KeyLength,ProcessId,ProcessName,IpAddress,IpPort,SystemTimeZ,EventID,EventRecordID,Channel,ComputerName,SystemTimeZulu,SystemDateZulu

	[datetime]$output.SystemTimeZ= $result.Event.System.TimeCreated.SystemTime
	$output.SystemTimeZulu= ([datetime]$result.Event.System.TimeCreated.SystemTime -split " ")[1]
	$output.SystemDateZulu= ([datetime]$result.Event.System.TimeCreated.SystemTime -split " ")[0]
	$output.EventID= $result.Event.System.EventID
	$output.EventRecordID = $result.Event.System.EventRecordID
	$output.Channel = $result.Event.System.Channel
	$output.ComputerName = $result.Event.System.Computer

	#Build object from Event XML Data
	$result.Event.EventData.Data \| foreach {
	$PSObject \| Add-Member NoteProperty $_.Name $_."#text"
	}

	$output.SubjectUserSid= $PSObject.SubjectUserSid
	$output.SubjectUserName= $PSObject.SubjectUserName
	$output.SubjectDomainName = $PSObject.SubjectDomainName
	$output.SubjectLogonId = $PSObject.SubjectLogonId
	$output.TargetUserSid = $PSObject.TargetUserSid
	$output.TargetUserName = $PSObject.TargetUserName
	$output.TargetDomainName = $PSObject.TargetDomainName
	$output.TargetLogonId = $PSObject.TargetLogonId
	$output.LogonType = $PSObject.LogonType
	$output.LogonProcessName = $PSObject.LogonProcessName
	$output.AuthenticationPackageName = $PSObject.AuthenticationPackageName
	$output.WorkstationName = $PSObject.WorkstationName
	$output.LogonGuid = $PSObject.LogonGuid
	$output.TransmittedServices = $PSObject.TransmittedServices
	$output.LmPackageName = $PSObject.LmPackageName
	$output.KeyLength = $PSObject.KeyLength
	$output.ProcessId = $PSObject.ProcessId
	$output.ProcessName = $PSObject.ProcessName
	$output.IpAddress = $PSObject.IpAddress
	$output.IpPort= $PSObject.IpPort

	$output
	}