VBscript从事件ID获取事件的属性

时间:2014-01-15 07:03:29

标签: security events vbscript

我想知道是否可以使用vbscript从事件ID 4624获取计算机的IP,登录用户,主机名?

我想要一个vbscript来获取这些信息:Event properties

2 个答案:

答案 0 :(得分:1)

这是可能的。您需要从事件日志中查询ID为4624的事件,然后从消息字符串中解析名称,IP地址和端口,例如:用正则表达式:

Set wmi = GetObject("winmgmts://./root/cimv2")

Set re = New RegExp
re.Pattern = "Network Information:\s+" & _
             "Workstation Name:\s*(.*?)\s+" & _
             "Source Network Address:\s*(.*?)\s+" & _
             "Source Port:\s*(\d+)"

qry = "SELECT * FROM Win32_NTLogEvent WHERE EventCode=4624"
For Each evt In wmi.ExecQuery(qry)
  For Each m In re.Execute(evt.Message)
    hostname = m.SubMatches(0)
    address  = m.SubMatches(1)
    port     = m.SubMatches(2)
  Next
  WScript.Echo hostname & " [" & address & ":" & port & "]"
Next

答案 1 :(得分:0)

基本上听起来你正在寻找this article。在其中,作者概述了一种非常彻底的方法,但关键是:

Function ProcessScript
   Dim hostName, logName, startDateTime, endDateTime
   Dim events, eventNumbers, i
   hostName      = wshNetwork.ComputerName
   logName       = "Security"
   eventNumbers  = Array("672") ' This is a comma-delimited list of events. You would include 4212 here
   startDateTime = DateAdd("n", -120, Now)
   '-------------------------------------------------------------------------------------------------------------------------
   'Query the event log for the eventID's within the specified event log name and date range.
   '-------------------------------------------------------------------------------------------------------------------------
   If Not QueryEventLog(events, hostName, logName, eventNumbers, startDateTime) Then
      Exit Function
   End If

End Function

此函数调用QueryEventLog,它执行繁重的工作:

Function QueryEventLog(results, hostName, logName, eventNumbers, startDateTime)
   Dim wmiDateTime, wmi, query, eventItems, eventItem
   Dim timeWritten, eventDate, eventTime, description
   Dim eventsDict, eventInfo, errorCount, i
   QueryEventLog = False
   errorCount    = 0
   If Not IsArray(eventNumbers) Then
      eventNumbers = Array(eventNumbers)
   End If
   '-------------------------------------------------------------------------------------------------------------------------
   'Construct part of the WMI Query to account for searching multiple eventID's
   '-------------------------------------------------------------------------------------------------------------------------
   query = "Select * from Win32_NTLogEvent Where Logfile = " & SQ(logName) & " And (EventCode = "
   For i = 0 To UBound(eventNumbers)
      query = query & SQ(eventNumbers(i)) & " Or EventCode = "
   Next
   On Error Resume Next
      Set eventsDict = NewDictionary
      If Err.Number <> 0 Then
         LogError "Creating Dictionary Object"
         Exit Function
      End If
      Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & hostName & "\root\cimv2")
      If Err.Number <> 0 Then
         LogError "Creating WMI Object to connect to " & DQ(hostName)
         Exit Function
      End If
      '----------------------------------------------------------------------------------------------------------------------
      'Create the "SWbemDateTime" Object for converting WMI Date formats. Supported in Windows Server 2003 & Windows XP.
      '----------------------------------------------------------------------------------------------------------------------
      Set wmiDateTime = CreateObject("WbemScripting.SWbemDateTime")
      If Err.Number <> 0 Then
         LogError "Creating " & DQ("WbemScripting.SWbemDateTime") & " object"
         Exit Function
      End If
      '----------------------------------------------------------------------------------------------------------------------
      'Build the WQL query and execute it.
      '----------------------------------------------------------------------------------------------------------------------
      wmiDateTime.SetVarDate startDateTime, True
      query          = Left(query, InStrRev(query, "'")) & ") And (TimeWritten >= " & SQ(wmiDateTime.Value) & ")"
      Set eventItems = wmi.ExecQuery(query)
      If Err.Number <> 0 Then
         LogError "Executing WMI Query " & DQ(query)
         Exit Function
      End If
      '----------------------------------------------------------------------------------------------------------------------
      'Convert the property values of Each event found to a comma seperated string and add it to the dictionary.
      '----------------------------------------------------------------------------------------------------------------------
      For Each eventItem In eventItems
         Do
            timeWritten = ""
            eventDate   = ""
            eventTime   = ""
            eventInfo   = ""
            timeWritten = ConvertWMIDateTime(eventItem.TimeWritten)
            eventDate   = FormatDateTime(timeWritten, vbShortDate)
            eventTime   = FormatDateTime(timeWritten, vbLongTime)
            eventInfo   = eventDate                          & ","
            eventInfo   = eventInfo & eventTime              & ","
            eventInfo   = eventInfo & eventItem.SourceName   & ","
            eventInfo   = eventInfo & eventItem.Type         & ","
            eventInfo   = eventInfo & eventItem.Category     & ","
            eventInfo   = eventInfo & eventItem.EventCode    & ","
            eventInfo   = eventInfo & eventItem.User         & ","
            eventInfo   = eventInfo & eventItem.ComputerName & ","
            description = eventItem.Message
            '------------------------------------------------------------------------------------------------------------------------
            'Ensure the event description is not blank.
            '------------------------------------------------------------------------------------------------------------------------
            If IsNull(description) Then
               description = "The event description cannot be found."
            End If
            description = Replace(description, vbCrLf, " ")
            eventInfo   = eventInfo & description
            '------------------------------------------------------------------------------------------------------------------------
            'Check if any errors occurred enumerating the event Information
            '------------------------------------------------------------------------------------------------------------------------
            If Err.Number <> 0 Then
               LogError "Enumerating Event Properties from the " & DQ(logName) & " event log on " & DQ(hostName)
               errorCount = errorCount + 1
               Err.Clear
               Exit Do
            End If
            '------------------------------------------------------------------------------------------------------------------------
            'Remove all Tabs and spaces.
            '------------------------------------------------------------------------------------------------------------------------
            eventInfo = Trim(Replace(eventInfo, vbTab, " "))
            Do While InStr(1, eventInfo, "  ", vbTextCompare) <> 0
               eventInfo = Replace(eventInfo, "  ", " ")
            Loop
            '------------------------------------------------------------------------------------------------------------------------
            'Add the Event Information to the Dictionary object if it doesn't exist.
            '------------------------------------------------------------------------------------------------------------------------
            If Not eventsDict.Exists(eventInfo) Then
               eventsDict(eventsDict.Count) = eventInfo
            End If
         Loop Until True
      Next
   On Error Goto 0
   If errorCount <> 0 Then
      Exit Function
   End If
   results       = eventsDict.Items
   QueryEventLog = True
End Function

其余内容在该文章中有详细介绍,但基本上只关注将结果写入文件并在执行过程中添加一些不错的用户交互。

相关问题
最新问题