Read Audit Event Logs powershell

ReadAuditEventLogs.ps1

function FormatAuditTokens($text)
{
    $text -Replace "%%1541", "SYNCHRONIZE" `
         -Replace "%%4421", "Execute/Traverse" `
         -Replace "%%1805", "Not granted" `
         -Replace "%%4423", "ReadAttributes" `
         -Replace "%%4416", "ReadData (or ListDirectory)" `
         -Replace "%%1537", "DELETE" `
         -Replace "%%1538", "READ_CONTROL" `
         -Replace "%%1542", "ACCESS_SYS_SEC" `
         -Replace "%%4417", "WriteData (or AddFile)" `
         -Replace "%%4419", "ReadEA" `
         -Replace "%%1811", "Granted by ACE on parent folder" `
         -Replace "%%1804", "Granted by ownership" `
         -Replace "%%1809", "Unknown or unchecked" `
         -Replace "%%1810", "Not granted due to missing"
}

$begin = Get-Date "2016-08-23 11:13:00"
$end = Get-Date "2016-08-23 11:15:00"

Get-EventLog -LogName System -After $begin -Before $end | Format-List TimeGenerated,Source,Message

Write-Host
Write-Host "Security ===================="
Get-EventLog -LogName Security -EntryType FailureAudit -After $begin -Before $end | Format-List TimeGenerated,@{Name="Message";Expression={FormatAuditTokens($_.Message)}}