由于属性存储在$XMLEntryobject中的方式,我无法尝试将下面的脚本输出到targetusername和logon type列。在下面运行我的代码时收到以下错误;
无法转换值" System.Object []"输入 " System.Xml.XmlDocument&#34 ;.错误:"此文档已有 ' DocumentElement' 。节点"
$ComputerName='fod71247'
$XMLFilter = @"
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624 or EventID=4634 or EventID=4625)
and
TimeCreated[@SystemTime>='2015-10-30T12:00:00:000Z' and @SystemTime<='2015-10-31T00:00:00:000Z']]
and
EventData[Data[@Name='TargetUserName'] and (Data='c660503')]
and
EventData[Data[@Name='LogonType'] and (Data='7' or Data='2')]]
</Select>
</Query>
</QueryList>
"@
$Events=Get-WinEvent -computername $ComputerName -FilterXml $XMLFilter
foreach ($Event in $Events) {
$EventXML += [XML]$Events.ToXML()
}
foreach ($XMLEntry in $EventXML) {
foreach ($Property in $XMLEntry.Event.EventData.Data) {
if ($Property.Name -eq "TargetUserName" -and $Property.Name -eq "TimeCreated" -and $Property.Name -eq "LogonType" -and $Property.'#text' -ne ($ComputerName + "$")) {
Write-Host $Property.'#text'
}
}
}
答案 0 :(得分:0)
这是一个创建psobject来存储一些事件属性的示例
$result=$computername|%{
"Checking $_ NPS " |write-verbose
icm -ComputerName $_ -ScriptBlock {
$server=$env:computername
Get-WinEvent -FilterXml "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=6273) and TimeCreated[timediff(@SystemTime) <= 3600000]]]</Select></Query></QueryList>" -maxevent 100 |
%{
$o="dummy"|select server,machinename,MAC #quickly create an object with server,machinename and mac properties
$o.server=$server
[xml]$ev=$_.toXML();$ev.event.eventdata.data | %{ #parse the event data to extract useful infos
if($_.name -eq "SubjectMachineName") {$o.machinename=$_."#text"}
elseif($_.name -eq "CallingStationID") {$o.mac=$_."#text"}
}
}
$o #return the created object
}
}
$result |select machinename,mac,server -uniq