get only all unique usernames from eventvwr

Hi,

I need to get only the last logged username entries from the security event logs, only unique usernames, no duplicates.

So if there are 1000 entries for 5 users, say logon or logoff, return only 5 entries of each user by newest event.

I have tried the below but not helping:-

Get-EventLog -LogName Security | Export-Csv -NoTypeInformation c:\test.csv
$b = Import-Csv C:\test.csv | sort Username -Unique
$b | Export-Csv C:\testunique.csv -NoTypeInformation

Regards,

Ochen

May 29th, 2015 12:11pm

No idea what you are asking.  You cannot use the Event log that way.  User logon events do not work like that.

What event IDs are you looking for?

Use Get-WinEvent.  Get Eventlog is now obsolete.

Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 2:38pm

Hi Ochen,

To filter the last logged username entries from the security event logs, please refer to the script below to start, which can get the account name in the message of the security event logs:

$events = Get-WinEvent -LogName security -MaxEvents 100|Select-Object -Property TimeCreated,Id, `
@{Name='AccountName';Expression={$_.Properties[5].Value}}, `
@{Name='AccountDomain';Expression={$_.Properties[6].Value}}
$events|group AccountName|foreach{
 $_.group|sort TimeCreated -Descending|select -First 1}

To filter the event log by powershell, please also refer to this article:

Use PowerShell Cmdlet to Filter Event Log for Easy Parsing

If there is anything else regarding this issue, please feel free to post back.

Best Regards,

Anna Wang

May 30th, 2015 6:26am

Won't work.  You have to specify the correct event IDs.

Free Windows Admin Tool Kit Click here and download it now
May 30th, 2015 8:26am

Ok, i am only looking for logon events from the event viewer. Bu there should be no duplicates

For example, if there are logon events for user X, display only the latest one. Same for other users as well

May 31st, 2015 12:48am

There is no simple two oor three line script that will do that.

Are you really asking for the last user too logon too a system?  Are you asking about the domain?  You have to clarify what these things are that you are asking about.

The code posted by Anna will only work on one type of event record.  There is no way to determine the user without returning the record and testing it.  Too do that we need to know what kind of logon you are asking about.

You can start by studying how the security log works and how logon records are generated.  From that you will be able to determine what kind of records you are asking for.

Start with this to see if it helps you too understand.

Get-WinEvent -FilterHashTable @{Logname='security';ID=4624} |
    Select-Object -Property TimeCreated,
         @{Name='AccountName';Expression={$_.Properties[5].Value}},
         @{Name='AccountDomain';Expression={$_.Properties[6].Value}},
         @{Name='LogonType';Expression={$_.Properties[8].Value}} 


You will have to decide which types.  Direct to console is type 2.  Yoou will then need to group by username and time  and choose first one.  If you want to look at DC logons then the rules are much different.

Free Windows Admin Tool Kit Click here and download it now
May 31st, 2015 2:12am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics