PowerShell EventLog Parse for Logon Type

Published by Torry Crass on

When attempting to identify certain aspects of events on a system the Event Viewer MMC snap-in may not make the cut. Fortunately there are other ways to search events that are a little more robust than what the filtering mechanism in Event Viewer provides.

Step in PowerShell (as seems to be the case more and more with Windows systems). The Get-EventLog module provides a great method for pulling, searching, slicing, and dicing events. For this example we’re looking exclusively at “Logon Type” (mainly because I needed this information and it was a little tricky to get).

To get started, open up PowerShell or PowerShell ISE as administrator (right click and open as administrator if needed).

Next compose your script to something like what is shown below; in this case I’m searching for type 3 events.

Get-EventLog -LogName Security | ?{$_.Message -like "Logon Type:        3"} | Format-Table -AutoSize -Wrap | Out-File C:\YOUREVENTLIST.TXT

Notice a whole lot of space between Logon Type and the number 3. This is necessary because of how the event viewer formats the message section of the log entries that you’re looking for. If someone else knows of a simpler way to get this targeted information with Windows native tools I’m certainly interested in learning that.

In order to pull full events you’ll need to specify -AutoSize and -Wrap. I follow this with Out-File to dump the entries to disk at the location and file name provided for easier review.


0 Comments

Leave a Reply