Powershell – Reporting Event Log content via triggered Email Windows 2012

I am able to send email based on event log triggering a Task Scheduler action which runs a powershell script. However, I am unable to pass any of the important data that this event carries.
Like for instance Event Viewer>Custom Views>Server Roles>Remote Desktop Services events log the IP address of the connecting party on successful logins.
This is easily done on Windows 2008:


But since the depreciation of the email option on 2012 I am unable to find an obvious way to pass the values that are available through the Event log. As an example here are the values that one could report via email in Windows 2008
RDP Login Successful
EventID: $(eventRecordID)
System: $(WorkstationName)
From: $(IpAddress)
By: $(TargetUserName)

I have tried passing these as arguments under the "add arguments" field in Action properties as such (with powershell as program/script):
"-noprofile -executionpolicy bypass -file C:\Windows\System32\email.successful.rdp.login.ps1 $(IpAddress)"

Does anybody have any ideas how to accomplish this in Windows 2012?
I guess it is possible to query for the last event and export as file and then attach this to the resulting email but I would think there is a more elegant way of extracting the data. It was possible to do in 2008 so I would assume it should be in 2012.


Best Answer

This will be a bit of a long one, hopefully it makes sense.

I don't have auditing on for 4625 in my test environment. I will use event ID 4624 instead in my example. 4625 and 1142 should be the same.

To get my event logs, I'm using the below

[dc1]: PS C:\Users\Administrator\Documents> Get-WinEvent -FilterHashtable @{LogName ='security'; ID = 4624}

ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
17/01/2018 7:43:23 PM         4624 Information      An account was successfully logged on....
17/01/2018 7:42:23 PM         4624 Information      An account was successfully logged on....
17/01/2018 7:41:36 PM         4624 Information      An account was successfully logged on...

I'm also using Select-First 1 to only use the first event object. If you run Get-Member on one of these events, it gives you the MemberType of Methods, Properties and the one we want, NoteProperty.

[dc1]: PS C:\Users\Administrator\Documents> Get-WinEvent -FilterHashtable @{LogName ='security'; ID = 4624} | Select-Object -First 1 | Get-Member
TypeName: System.Diagnostics.Eventing.Reader.EventLogRecord
Name                 MemberType   Definition
----                 ----------   ----------
Dispose              Method       void Dispose(), void IDisposable.Dispose()
Equals               Method       bool Equals(System.Object obj)
FormatDescription    Method       string FormatDescription(), string 
FormatDescription(System.Collections.Generic.IEnumerable[System.Object] values)     
GetHashCode          Method       int GetHashCode()
GetPropertyValues    Method       System.Collections.Generic.IList[System.Object] 
GetType              Method       type GetType()
ToString             Method       string ToString()
ToXml                Method       string ToXml()
**Message              NoteProperty string Message=An account was successfully logged on....**                                                               
ActivityId           Property     System.Nullable[guid] ActivityId {get;}
Bookmark             Property     System.Diagnostics.Eventing.Reader.EventBookmark Bookmark {get;}

I will assign this to a variable to be able to extract the information.

[dc1]: PS C:\Users\Administrator\Documents> $event = Get-WinEvent -FilterHashtable @{LogName ='security'; ID = 4624} | Select-Object -First 1

If you run Get-Member on this, it is a TypeName: System.String and can then be used as a string.

[dc1]: PS C:\Users\Administrator\Documents> $event.Message | Get-Member
   TypeName: System.String

$event.message in this case contains most of the Event ID information. A small snippet is below.

dc1]: PS C:\Users\Administrator\Documents> $event.Message
An account was successfully logged on.

    Security ID:        S-1-0-0
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Information:
    Logon Type:     3
    Restricted Admin Mode:  -
    Virtual Account:        No
    Elevated Token:     Yes

Impersonation Level:        Impersonation

New Logon:
   Security ID:     S-1-5-18
   Account Name:        DC1$
   Account Domain:      TIMHAINTZ.COM

If you don't want to email all of $event.message, you can use RegEx to choose the bits you want. An example is below to grab the Account Domain: section.

[dc1]: PS C:\Users\Administrator\Documents> $regexevent = ([regex]::Matches( $event.Message, '(?<=Account\sDomain:\s\s).+').value)
[dc1]: PS C:\Users\Administrator\Documents> $regexevent

In the example above, Account Domain: appears twice so the RegEx finds it twice. - and TIMHAINTZ.COM.

As per Mart's comments To get the correct logs for Evend ID 1149, see code below.

Get-WinEvent -FilterHashtable @{LogName ='Microsoft-Windows-TerminalServices-RemoteConnectionManager/‌​Operational'; ID = 1149}

Hope this helps.

Thanks, Tim.