event log entry message block retrieve values

Question

instead of using Regex, can i retrieve sub strings in the message block of text of an eventlog entry?

This is what the block of text look like:

Kerberos pre-authentication failed.

Account Information:
    Security ID:        HO\administrators$
    Account Name:       administrators$

Service Information:
    Service Name:       krbtgt/HO.FOSLTD.CO.ZA

Network Information:
    Client Address:     ::ffff:10.250.1.12
    Client Port:        51933

Additional Information:
    Ticket Options:     0x40000000
    Failure Code:       0x18
    Pre-Authentication Type:    2

i want only the values to the right of:

Account Name 
Client Address, but with out the ::ffff:
Failure Code

this part of my code return the below text:

 $sSecurityID = $Item.SubString($Item.IndexOf("Account Information"))
 $sSecurityID = $sSecurityID.SubString($sSecurityID.IndexOf("Account Name"))
 $sSecurityID = $sSecurityID.TrimStart("Account Name:")
 $sSecurityID = $sSecurityID.Trim()

output:

OrtheaE

Service Information:
    Service Name:       krbtgt/ho

Network Information:
    Client Address:     ::ffff:172.26.50.11
    Client Port:        20697

Additional Information:
    Ticket Options:     0x40810010
    Failure Code:       0x18
    Pre-Authentication Type:    2

Answer 1

How are you extracting the log data? You're looking for the ReplacementStrings field which is not available when you use the Get-WinEvent.

get-eventlog -computername dc-01 -logname security | ?{$_.eventid -eq "4674"} | 
select machinename,eventid,@{n='AccountName';e={$_.ReplacementStrings[1]}},entrytype,message | 
convertto-html | out-file c:\test.html

And then if those don't work this most definitely will:

Get-EventLog "Security" -before 4/10/2013 -InstanceId 4663 | % {
    New-Object psobject -Property @{
        Index = $_.Index
        TimeGenerated = $_.TimeGenerated
        "Account Name" = $_.ReplacementStrings[1]
        "Object Type" = $_.ReplacementStrings[5]
        "Object Name" = $_.ReplacementStrings[6]
    }
} | export-csv c:\export.csv -NoTypeInformation

You'll see that all values are in your ReplacementStrings in the order that they're show in the text. The first variable in that message is the "Security ID", so that's most likely stored in $_.ReplacementStrings[0] etc.