我想要一个域用户,因为它想要检查安全事件日志是否登录然后打印匹配的事件,但它返回我的空值:
Get-EventLog -Log Security -Computer PC1 -InstanceID 4624 -After(Get-Date).AddDays(-2) | ? {
$_.Message -match "Account Name:\s+qasimali\s" -and
$_.Message -match 'Logon Type:\s+(2|10)\s"
}
但它不会为输出生成数据
Read-Host:name不能为Null或Empty。
命令运行并且没有错误。我只想检查这个命令是否正常运行。
答案 0 :(得分:1)
我过去这样做的方式如下(为了清晰起见,已经过彻底评论):
## Set Username Input
$UserInput = "DOMAINUSER"
## Set date in past to retrieve events up to
$StartTime = ((Get-Date).AddMinutes(-2))
##Set Domain Controller to search on
$ComputerName = "DC1"
## Retrieve Event 4624 from DC Eveng Logs
$Logons = Get-WinEvent -ComputerName $ComputerName -FilterHashTable @{LogName="Security"; ID="4624"; StartTime=$StartTime;EndTime=(Get-Date)}
## Initialize variable to store outputs in
$EventOutput = @()
## Enumerate Events to retrieve usernames to compare against User Input
foreach ($Logon in $Logons) {
## Convert Event to XML
$LogonXML = [XML]$Logon.ToXML()
## Retrieve Username from XML Object
$LogonUser = (($LogonXML.Event.EventData.Data | Select "#text")[5])."#text"
## Retrieve Logon Type from XML Object
$LogonType = (($LogonXML.Event.EventData.Data | Select "#text")[8])."#text"
## Check Event Username matches User Input
if ($LogonUser -match $UserInput) {
## Check LogonType is correct
if ($LogonType -eq 2 -or $LogonType -eq 10) {
## Append Event Object to Event Output
$EventOutput += $Logon
}
}
}
## Output Resulting Event Output Object
$EventOutput
可以操纵结果输出以检索您希望的任何细节。我发现将每个Object转换为XML以解析其他有用的值。
注意:我刚从内存中快速抛出此内容,可以快速重新构建,以便在需要时启用其他查询。需要更改开始时间和结束时间以从正确的时间跨度中提取信息。