<< A B C D E F G H I J K L M N O P Q R S T U V W X Y Z



















Security log failures

This finds all audit failures.  I cap it at the most recent 2000 so it won’t take forever. In order to get more detail on “Replacement Strings”, concatenate them (separating with “;”). If you don’t, the hash elements won’t show up in the .csv file properly

Get-Eventlog -LogName security -Newest 2000 | where {($_.EntryType -eq 'FailureAudit') } | Select-Object index, TimeGenerated, InstanceID, message, @{L='ReplacementStrings'; E = { $_.ReplacementStrings -join ";"}} | Export-Csv C:\Users\user\Documents\SecurityLogAuditFailures.csv

This doesn’t filter for any EventIDs (“InstanceID”).  This might return a whole bunch of EventID 5157 (DNS). To focus on some other EventIDs:

Get-Eventlog -LogName security -Newest 200000 | where {($_.EntryType -eq 'FailureAudit') -and (($_.InstanceID -eq 4625) -or ($_.InstanceID -eq 4656))} | Select-Object index, TimeGenerated, message, @{L='GUID'; E={$_.ReplacementStrings[0]}}, @{L='name'; E={$_.ReplacementStrings[1]}}, @{L='domain'; E={$_.ReplacementStrings[2]}}, @{L='someHexValue'; E={$_.ReplacementStrings[3]}}, @{L='someOtherGUID'; E={$_.ReplacementStrings[4]}} | Export-Csv C:\Users\user\Documents\SecurityLogAuditFailures2.csv