How To Get the Data Out of ReplacementStrings Properly

When retrieving data from the event log, there is a set of data stored in a data field called ReplacementStrings that is very useful to the certain types of log entries. It’s structured as a string array, therefore, can be retrieved if you know the data structure.

The problem is, every type of event ID has different string array structure. So you need to exam each of them separately. To find a certain type of event ID’s structure, open one of the log entry, switch to Details tab and look at the EventData section.

Take an event ID 4740 entry as an example. It lays out as it’s structured, starting from 0, which is TargetUserName, the user account that gets locked out. The next one will be 1 for TargetDomainName, the computer where the account gets locked out.

So you can retrieve the data and display them accordingly, using ReplacementString[0] to get the data for TargetUserName and ReplacementString[1] for TargetDomainName.

Here is a script that retrieves lockout account info from the security event log, for your reference.

#Collect lockout accounts from ADS

$logname = "security"
$dcname = (Get-AdDomain).pdcemulator
$eventID = "4740"
$content = Get-EventLog -LogName $logname -ComputerName $dcname -After (Get-Date).AddDays(-1) -InstanceId $eventID | Select TimeGenerated, ReplacementStrings
$ofs = "`r`n`r`n"
$body = "Fetching event log started on " + (Get-Date) + $ofs

If ($content -eq $null)
{
    $body = $body + "No lock-out accounts happened today" + $ofs
}
Else 
{
    Foreach ($event in $content)
    {
        $source = $content.ReplacementStrings[1]
        $username = $content.ReplacementStrings[0]
        $body = $body + $event.TimeGenerated + ": " + $username + " - " + $source + $ofs
    }
}
$body

Hope it helps.