Need help with event viewer and regex to filter exact output

We’ve been getting a lot of account lock outs lately and I’ve created a function to loop through all the DCs and check if there are any 4740 eventIDs. The problem is that the output is this one big verbose message and i cant really filter it out by any associated properties so i at a standstill as i see it.

Here is what the code to get a single event viewer object looks like:

$Object = Get-WinEvent -ComputerName $Computer -FilterHashtable @{Logname = 'Security'; ID = 4740; StartTime = (Get-Date).AddDays(-5)} -EA 0 

The object by itself returns it default properties but i’m only really interested in the $object.Message .. Below is that looks like.

A user account was locked out. Subject: Security ID: S-1-xx-xx Account Name: DC01$ Account Domain: Contoso Logon ID: 0x3E7 Account That Was Locked Out: Security ID: S-1-xx-xxxxxxx-xxxxx Account Name: gabyred884 Additional Information: Caller Computer Name: gabyred884-pc 

i’m only interesting in getting the Account Name (gabyred884) and Caller Computer Name (gabyred884-pc). Back in the CMD days I was able to do a findstr /i to include and exclude (/v) but I’d rather not go that route. Trying to filter the line using Select-String returns the entire block (maybe i’m using it wrong). Anyway would you think Regex would be better suited to get exactly that? If so, could you help me with the syntax?

much appreciated.

submitted by /u/gabyred884
[link] [comments]

Leave a Reply