How to filter the Windows Security event log by SID?
Solution 1
Use the -FilterXPath
option instead!
In the following example, I've saved all events from the Security log on my machine to seclog.evtx
on the Desktop and search for events with SubjectUserSid S-1-5-18
(LOCAL SYSTEM
):
$events = Get-WinEvent -Path "$HOME\Desktop\seclog.evtx" -FilterXPath '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18"]]'
In a script, I would probably opt for a splatting table to make the statement a bit more readable (here limited to the last 10 events):
$seclogSplat = @{
'Path' = "$HOME\Desktop\seclog.evtx"
'FilterXPath' = '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18"]]'
'MaxEvents' = 10
}
$events = Get-WinEvent @seclogSplat
You can specify multiple non-exclusive criteria with or
:
*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18" or Data[@Name="SubjectUserSid"] = "S-1-0-0"]]
Solution 2
I don't know of any built in way to find out if a specific UserID exists.
However, you can just match the content of the message to find your SiD, as it should be unique:
$events = get-winevent -logname security -path "Archive-Security-2015-04-14-02-13-02-299.evtx" | where {$_.message -match 'S-1-5-21-220523388-838170752-839522115-yyyy'}
There are also some cleaner ways using XML filtering.
But personally I haven't had a need for them yet, and content matching the message has been sufficient so far.
Related videos on Youtube
Old Geezer
Don't shoot the messenger. An expert, or teacher, is a person who, after reading your question, knows what you know, what you don't know, what you are trying to know, and what else you need to know in order to achieve what you are trying to know.
Updated on September 18, 2022Comments
-
Old Geezer over 1 year
I want to filter the event log for a certain user, but I don't think there's an option to search by SAMID. There is a filter by
UserId
though, according to here. Is the following correct syntax correct to search the user in the screen shot below?$events = get-winevent -filterhashtable @{ logname='security'; path="Archive-Security-2015-04-14-02-13-02-299.evtx"; UserId='S-1-5-21-220523388-838170752-839522115-yyyy' }
I get "No events were found that match the specified selection criteria." with the above command. But if I remove the
UserId
key, a long list is returned, so there should be nothing wrong withlogname
orpath
.-
Reaces about 9 yearsCorrect me if I'm wrong, but I thought the
id
paramater under the hashtable filter is actually theevent id
? -
Old Geezer about 9 yearsThanks for pointing it out. I pasted the command from a wrong attempt. I have updated the question. I used
UserId
='....'
-
-
Old Geezer about 9 yearsThat's what I did for further post processing to get my report. But I prefer filtering before piping, as, as your linked article says, it's a greater than 100X difference in performance. The said id exists, as the GUI event viewer shows. What I am uncertain is the syntax or whether UserId key refers to this SID field.
-
Old Geezer about 9 yearsThanks. How do I specify a saved log file and the logname with the FilterXPath option?
-
Mathias R. Jessen about 9 years@OldGeezer Sorry, didn't notice it was a Saved log file. Just use the
-Path
parameter, answer updated -
Old Geezer about 9 yearsThanks. It works. One more question if you don't mind: what's the syntax for logical OR in that *[.[ [..]..].] thingy?
-
Mathias R. Jessen about 9 years
or
(lowercase) -
Old Geezer about 9 yearsI found out that with this method I could also filter by SubjectserName, which is more user friendly than the SID.