0

I have a large script which looks at certain event logs. Part of it is the following command:

Get-EventLog -ComputerName $computer -InstanceId 4625 -LogName Security -After $date -ErrorAction Stop | Select TimeWritten,@{n='Reason for Failure';e={$_.ReplacementStrings[8]}}

I receive the following output:

TimeWritten         Reason for Failure
-----------         ------------------
08/05/2018 10:55:06 %%2313            
08/05/2018 09:19:24 %%2313            
08/05/2018 07:49:22 %%2304            
08/05/2018 07:49:22 %%2304

Is it possible to change the output in the reason for failure column to some other message. I know of the -replace operator but I am struggling on how to incorporate this?

4

1 回答 1

2

This should get you headed in the right direction:

$failures = @{'%%2313' = 'Unknown User Name or Bad Password';
              '%%2304' = 'An Error occured during Logon'
             }
Get-EventLog -ComputerName $computer -InstanceId 4625 -LogName Security -After $date -ErrorAction Stop | Select TimeWritten,@{n='Reason for Failure';e={$failures[$_.Message]}}

Change $_.Message to be whichever field has the error code.

于 2018-05-08T14:17:00.567 回答