Get-WinEvent Obtain Interactive Logon Messages Only

Question

I am attempting to get this PS script going to pull the Security log from multiple machines and only search for the Event ID of 4624 and only show me the logs that contain \

Answer 1

The solution to the problem of how to match the white space between the semicolon and the number 2 in the first code example at the top of this article is to use a PowerShell regular expression pattern written like this \s+.

The pattern characters are case sensitive and typically used with the "-match" operator, but can be effectively employed with the Select-String commandlet as written in the poster’s original query. The modified code would look like this:

Get-WinEvent -FilterHashTable @{LogName="Security";ID=4624} | where { $_.Message | Select-String "Logon Type:\s+2"} 

Additionally, if the PowerShell script needs to query older operating systems that still use classical event logs, the Get-EventLog commandlet can be likewise employed with the same pattern as shown here:

Get-EventLog -LogName Security -InstanceID 4624 | Where {$_.Message -match "Logon Type:\s+2"}

PowerShell regular expression references:

https://technet.microsoft.com/en-us/magazine/2007.11.powershell.aspx https://www.petri.com/powershell-string-parsing-with-regular-expressions

Note: the regex pattern referenced in this answer is described by Microsoft as a “character class”.

Clark Froebe