How to query User field in 2008R2 app log?

Question

User158988770 posted

Does anyone know how to extract the "User:" field from server 2008R2 application event log?

The data is not in the "Strings" field like in the SEC log Its below the strings field on the "General" tab of the app event log entry.

Any help is really appreciated here.

thanks

Answer 1

User-1499466209 posted

Hi,

as always PowerShell (and .NET) can do that. Not sure you can filter on the username with Get-EventLog but sure you can do it like this :

([System.Diagnostics.EventLog]::GetEventLogs() | ? {$_.log -like 'Application'} ).entries | where {$_.Username -eq 'THE_USER_U_WANNA_FILTER_ON'}