How to parse text of Windows security log

Hi All,

I would need to parse the result from security log. With this command I can get data from the log

descriptions of it of (records of security event log) whose ((event id of it = 4624 OR event id of it =4634) AND now - time generated of it < 1*day)

How can I just extract unique account names from this result?

Thanks a lot for your help.

Change the first part to be

descriptions of it whose (it as string contains “some text”) of …

1 Like
q: properties of type "event log record"
A: length of <event log record>: integer
A: record number of <event log record>: integer
A: time generated of <event log record>: time
A: time written of <event log record>: time
A: event id of <event log record>: integer
A: event type of <event log record>: event log event type
A: category of <event log record>: integer
A: source of <event log record>: string
A: computer of <event log record>: string
A: user sid of <event log record>: security identifier
A: description of <event log record>: string
A: xml of <event log record>: xml dom node
T: 0.502 ms
I: plural property

So you can pull the user sid directly, without parsing.

Another option would be to get the event log record as xml, then parse that to get the properties you want.

2 Likes

In my brief testing, unfortunately, the user sid of <event log record> did not return the desired result in this particular case (it didn’t via Event Viewer either).

Querying the Windows Event Log (especially the Security Event log) can be fairly expensive given the number of records. For such cases, I like to reference @strawgate’s post here on how to do so more efficiently (a very interesting approach!): Relevance: Speeding Up Event Log Queries

Utilizing that general construct, here’s a sample bit of relevance that will actually parse the output of the description to return the string specified after ‘Account Name’, and return only unique values (I’ve not really tested this very much):

unique values of (preceding text of first "%0d%0a" of following text of first "Account Name:%09%09" of it) of descriptions of records ((integers in (item 0 of it + item 1 of it - 1, maximum of (item 0 of it + item 1 of it - 500;item 1 of it))) of (record count of it, oldest record number of it)) whose (event id of it = 4624 OR event id of it = 4634) of security event log

3 Likes

Aram, thank you very much, this looks amazing. One more thing if I would like to filter only events that contain Logon Type: 3 where exactly should I modify it? Thanks again!

This just means an additional element to parse from the description, then use a ‘whose’ to filter. There are a number of different ways to do this, but here’s one (again, I’ve not really tested this :slight_smile: ). Essentially, the below returns a tuple of both the Account Name and the Logon Type by parsing the event description, then filtering by limiting the results where item 1 of the tuple (the Logon Type) is 3:

unique values of items 0 of (((preceding text of first "%0d%0a" of following text of first "Account Name:%09%09" of it, concatenation of substrings separated by "%09" of preceding text of first "%0d%0a" of following text of first "Logon Type:" of it) of descriptions of records ((integers in (item 0 of it + item 1 of it - 1, maximum of (item 0 of it + item 1 of it - 500;item 1 of it))) of (record count of it, oldest record number of it)) whose (event id of it = 4624 OR event id of it = 4634) of security event log) whose (item 1 of it = "3"))

1 Like

Thank you Aram, that works excellent!