Sign in
Microsoft.com
 
Microsoft
 
 
 

none
Powershell: get all events id 4624 for a particular user RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I am trying to get a csv file with all the login info (event 4624) for a particular user using powershell:

    I tried:

    Get-EventLog -UserName john.smith -InstanceId 4624 | export-csv c:\temp\output.csv

    but it doesn't work, I get errors. Can anybody tell me what I am doing wrong?

    Thank you in advance for your help,

    RGRB18

    • Moved by Bill_Stewart Friday, July 27, 2018 6:09 PM Abandoned
    Friday, April 20, 2018 5:05 PM
    |

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    You have to use an XML filter with Get-WinEvent.  Get-Eventlog does not work correctly with Vista and later systems and is retained for backward compatibility.

    help Get-WinEvent -online

    \_(ツ)_/

    Friday, April 20, 2018 5:17 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Some examples of XML filters:

    <QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
		*[EventData[Data[@Name='TargetUserName'] and (Data='testuser')]]
	</Select>
  </Query>
</QueryList>

    $x=@'
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4624 or EventID=4674)]]
    and 
    *[EventData[Data[@Name='TargetUserName'] and (Data='testuser')]]
    </Select>
  </Query>
</QueryList>
'@

$x=@'
<QueryList> 
	<Query Id="0"> 
		<Select Path="Security"> 
			*[EventData[Data[@Name='SubjectUserName'] and (Data='test5' or Data='test9')]] 
			and 
			*[System[(EventID='4663')]] 
		</Select> 
	</Query> 
</QueryList>
'@
Get-WinEvent -FilterXml $x      

"*[System[(EventID=4624 or EventID=4674)]] and *[EventData[Data[@Name='LogonType'] and (Data=5)]]"

$filterXml = @'
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4624 or EventID=4740)]]
    and 
    *[EventData[Data[@Name='TargetUserName'] and (Data='kfugaro')]]
    </Select>
  </Query>
</QueryList>
'@

    \_(ツ)_/


    • Edited by jrv Friday, April 20, 2018 5:19 PM
    Friday, April 20, 2018 5:18 PM
    |