2020年12月22日星期二

Regex pattern for Eventlog 4740 with powershell

Given is a logfile called sample_log.txt which contains sample data of the windows security eventlog. I want to search with a regex pattern for locked out user accounts which is Event ID 4740.

Such a sample looks like this:

Information 22.12.2020 21:28:46 Microsoft-Windows-Security-Auditing 4740    User Account Management "A user account was locked out.    Subject:      Security ID:        SYSTEM      Account Name:       SERVER23$      Account Domain:     DOMAIN      Logon ID:       0x3E7    Account That Was Locked Out:      Security ID:        domain\firstname.lastname      Account Name:       firstname.lastname  

I've the following powershell script:

#grab our data  $file = get-content "$PSScriptRoot\sample_log.txt"    #make our pattern    $regex = "Account Name:\s*(\w+).(\w+)"  #loop through each lin  foreach ($line in $file)  {  #if our line contains our pattern, write the matched data to the screen  if($line -match $regex)  {  $matches[0]  }  }  

Actually the output would look like this:

 Account Name:      SERVER23   Account Name:      firstname.lastname  

How can I expand/modify the regex pattern if I want only match events with ID 4740 that contains the date and time stamp together with the account name from the sample above?

Thanks in advance for every help and suggestion

https://stackoverflow.com/questions/65417293/regex-pattern-for-eventlog-4740-with-powershell December 23, 2020 at 07:44AM

没有评论:

发表评论