Instantly share code, notes, and snippets.

Embed
What would you like to do?
Gets the IP of a user login from the event log. Filters out entries where the IP isn't recorded.
Get-WinEvent -Logname Security -FilterXPath "*[System[EventID=4624]]" | Where-Object { $_.Properties[18].Value -ne '-' } | Select-Object MachineName,
@{
Name = 'UserName'
Expression = { $_.Properties[5].Value }
},
@{
Name ='IP'
Expression = { $_.Properties[18].Value }
},
TimeCreated | Sort-Object -Descending UserName
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment