Remove From My Forums

Powershell: get all events id 4624 for a particular user

Question
0

Sign in to vote
Hi,

I am trying to get a csv file with all the login info (event 4624) for a particular user using powershell:

I tried:

Get-EventLog -UserName john.smith -InstanceId 4624 | export-csv c:\temp\output.csv

but it doesn't work, I get errors. Can anybody tell me what I am doing wrong?

Thank you in advance for your help,

RGRB18
- Moved by Bill_Stewart Friday, July 27, 2018 6:09 PM Abandoned
Friday, April 20, 2018 5:05 PM

All replies

0

Sign in to vote

You have to use an XML filter with Get-WinEvent. Get-Eventlog does not work correctly with Vista and later systems and is retained for backward compatibility.

help Get-WinEvent -online

\_(ツ)_/

Friday, April 20, 2018 5:17 PM

Some examples of XML filters:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
		*[EventData[Data[@Name='TargetUserName'] and (Data='testuser')]]
	</Select>
  </Query>
</QueryList>

$x=@'
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4624 or EventID=4674)]]
    and 
    *[EventData[Data[@Name='TargetUserName'] and (Data='testuser')]]
    </Select>
  </Query>
</QueryList>
'@

$x=@'
<QueryList> 
	<Query Id="0"> 
		<Select Path="Security"> 
			*[EventData[Data[@Name='SubjectUserName'] and (Data='test5' or Data='test9')]] 
			and 
			*[System[(EventID='4663')]] 
		</Select> 
	</Query> 
</QueryList>
'@
Get-WinEvent -FilterXml $x      

"*[System[(EventID=4624 or EventID=4674)]] and *[EventData[Data[@Name='LogonType'] and (Data=5)]]"

$filterXml = @'
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4624 or EventID=4740)]]
    and 
    *[EventData[Data[@Name='TargetUserName'] and (Data='kfugaro')]]
    </Select>
  </Query>
</QueryList>
'@

\_(ツ)_/

Edited by jrv Friday, April 20, 2018 5:19 PM

Friday, April 20, 2018 5:18 PM

Asked by:

Powershell: get all events id 4624 for a particular user

Question

All replies