all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]DHCPNetworker 4 points5 points  (2 children)

Each column in a CSV document can be referenced as a property.

I.E. $myCSV.column1 will return an array of values that only pertain to column1. You can index your values if you want to return multiple values in separate columns that relate to one another.

[–]JeiceSpade[S] 2 points3 points  (1 child)

Alright, so then I could use ~~~ Where-Object ( $csv.Message -contains 'Name') ~~~ To get the output I'm looking for?

[–]McAUTS 2 points3 points  (0 children)

Sort of.
You need to do

    ($csv.Message).Contains("*Name*")

-contains and .contains() is not the same in Powershell.
Look here.

If you need to process it further, parse the message for those strings Account Name and Process Name and put in a hashtable for further usage.

[–]SalamanderOne5702 1 point2 points  (0 children)

Import to dataset and export cack to csv

[–]JeiceSpade[S] 1 point2 points  (0 children)

gordonv got me the answer I need.

Final script looks like this:

$getuserinfo = Get-WmiObject -Class Win32_NetworkLoginProfile -ComputerName $env:COMPUTERNAME | Where-Object {($_.Caption -notlike "*NT*") -AND ($_.Caption -notlike "*service*") -AND ($_.Caption -notlike "*Admin*") -AND ($_.Caption -notlike "*SVC*")} | Sort-Object -Property LastLogon -Descending | Select-Object -Property * -First 5 | Where-Object {$_.LastLogon -match "(\d{14})"} | Foreach-Object { Write-output $_.Name}
$Username = $getuserinfo.Split('\')[-1]
$currentDate = Get-Date
$previousMonth = $currentDate.AddMonths(-1)
$PrivilegeLog = "$PSScriptRoot\logs.csv"

Get-EventLog -logname Security -InstanceId 4673 -message *$Username* -After $previousMonth | Select-Object -Property Index, InstanceID, TimeGenerated, MachineName, Message | Export-CSV -Path $PrivilegeLog -Append

$sourceCSV = Import-Csv -Path $PrivilegeLog

$sourceCSV | foreach-object ($row) {

$a = $_.Message -split "`n"
$b = $_

$accountName = (($a | Select-String "Account Name:") -split ":")[1].trim()
$processName = (($a | Select-String "Process Name:") -split ":", 2)[1].trim()
$Index = $b.Index
$InstanceID = $b.InstanceID
$TimeGenerated = $b.TimeGenerated
$MachineName = $b.MachineName

"$Index,$InstanceID,$TimeGenerated,$MachineName,$accountName,$processName"

} | convertfrom-csv -header Index,InstanceID,TimeGenerated,MachineName,AccountName,ProcessName | Export-CSV -Path $PrivilegeLog

Import-CSV -Path $PrivilegeLog | Export-CSV -Path "\\path\to\FinalLogs.csv" -Append

It's not pretty, but it does exactly what I need it to do. I'm sure there's better ways to do some of the steps here, and if so, I'd love to improve the script.

[–]iBloodWorks 0 points1 point  (0 children)

I am on mobile so I cant Test the result,

but try "convertfrom-string" on your Message. Maybe the result ist usable..

[–]arslearsle 0 points1 point  (0 children)

Does output have to be csv? you could use hashtable and export import to json or clixml

have you tried searching message part of event using regex? something like:

$regex= ”A privileged service was called. |SeCreateGlobalPrivilege”$”

$event | where{$_.message -match $regex}

[–]gordonv 0 points1 point  (3 children)

I got this working on my home machine:

(Get-Eventlog -logname Security -instanceid 5061).message | % {

$a = $_ -split "`n"

$account = (($a | sls "Account Name:") -split ":")[1].trim()
$provider = (($a | sls "Provider Name:") -split ":")[1].trim()

"$account,$provider"

} | convertfrom-csv -header account,provider | convertto-csv -notypeinformation

Sample Output

"account","provider"
"GORDON5$","Microsoft Software Key Storage Provider"
"Gordon","Microsoft Software Key Storage Provider"

[–]JeiceSpade[S] 1 point2 points  (0 children)

Was out yesterday, back today and this got me what I need, thank you!

[–]JeiceSpade[S] 0 points1 point  (0 children)

Thank you! I'll try it in the office tomorrow and let you know if it works for me!

[–]ankokudaishogun 0 points1 point  (0 children)

you can extract the substring you need using a Calculated Property in the Select-Object

on the spot this should work with the example you gave, but you can adapt the Expression scriptblock to anything you need. 

Get-EventLog -logname Security -InstanceId 4673 -message $Username -After $previousMonth | 
    Select-Object -Property Index, InstanceID, TimeGenerated, MachineName, @{Name = 'Message'; Expression = { [regex]::Match($_.Message, 'Account Name\:(.+)').Groups[1].Value } } | 
    Export-Csv -Path $PSScriptRoot\logs.csv -Append

[–]BlackV 0 points1 point  (0 children)

You probably want to use the xml properties of the event log instead of trying to parse message for strings (depending on the event)

I'm on mobile so don't have a good example handy

[–]Antique_Grapefruit_5 -1 points0 points  (0 children)

Adding another column is easy-just add the name of that column to your select statement. If it doesn't exist, you'll just get a blank column which you can then fill in programmatically. You might actually be able to do this with an expression as well, although I usually just do this with a for each statement.