Question

正如标题所说，有没有办法过滤事件日志4720 的消息部分的详细信息？我只想提取主题帐户名称和目标帐户名称我目前有以下代码。它获得了必要的信息，但我想过滤一下。

# CSS style
$css= "<style>"
$css= $css+ "BODY{ text-align: center; background-color:white;}"
$css= $css+ "TABLE{    font-family: 'Lucida Sans Unicode', 'Lucida Grande', Sans-Serif;font-size: 12px;margin: 10px;width: 100%;text-align: center;border-collapse: collapse;border-top: 7px solid #004466;border-bottom: 7px solid #004466;}"
$css= $css+ "TH{font-size: 13px;font-weight: normal;padding: 1px;background: #cceeff;border-right: 1px solid #004466;border-left: 1px solid #004466;color: #004466;}"
$css= $css+ "TD{padding: 1px;background: ##FFFFFF;border-right: 1px solid #004466;border-left: 1px solid #004466;color: #669;hover:black;}"
$css= $css+  "TD:hover{ background-color:#e5f7ff;}"
$css= $css+ "</style>" 

$StartDate = (get-date).AddDays(-1)

$body = Get-WinEvent -FilterHashtable @{logname="Security"; starttime=$StartDate; ID=4720} -ErrorAction SilentlyContinue

$body | ConvertTo-HTML -Head $css ID,TimeCreated,Message > C:\UserCreated.html

Answer 1

像这样修改

 Get-WinEvent -FilterHashtable @{logname="Security"; starttime=$StartDate;  } | Where-Object id -EQ 326| select ID,TimeCreated,Message | ConvertTo-HTML -Head $css ID,TimeCreated,Message > C:\UserCreated.html

从事件日志4720过滤详细信息

1 个答案: