Event viewer security log

Question

Hi ,

I'm trying to query Event viewer security log for an event that has an object type "Computer". can't find the object type property anywhere. any idea please ?

Get-WinEvent -LogName security | Select-Object -Property *

Answer 1

@Bonus12 That's what the editing in MS Q&A does when it spots a "$" followed by a "" -- it removes the "" when code is posed as text. Using the "Code Sample" avoids that. BTW the same problem existed on the "Add-Member" line.

Here's what the code should look like:

$ArrayList = New-Object System.Collections.ArrayList  
Get-WinEvent -logname security -FilterXPath "*[System[EventID=4907]]" -MaxEvents 10 |   
    ForEach-Object{  
        $XML = [xml]$_.toXml()  
        $PsObject = New-Object psobject  
        $XML.Event.EventData.Data |   
            ForEach-Object{  
                $PsObject |   
                    Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"  
            }  
        $ArrayList.add($PsObject) | out-null  
    }  
  
$ArrayList | Select-Object *  

Answer 2

Hi @Bonus12 ,

This post describes how you can obtain the Object Type:
https://stackoverflow.com/questions/54406245/how-to-get-powershell-get-winevent-security-message-access-mask-that-mat

From the above link I modified it as an example on how to get a specific event ID's Object Type:

$ArrayList = New-Object System.Collections.ArrayList  
Get-WinEvent -logname security -FilterXPath "*[System[EventID=4907]]" -MaxEvents 10 | %{  
$XML = [xml]$_.toXml()  
$PsObject =  New-Object psobject  
$XML.Event.EventData.Data | %{  
         $PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"  
      }  
      $ArrayList.add($PsObject) | out-null  
    }  
      
   $ArrayList | Select *  

Example output:

You can modify the script as per your own needs.

----------

If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!

Best regards,
Leon