我们在运行W2012的QA机器上使用IO.FileSystemWatcher观察器进行测试。
- 每次新用户在计算机中登录时,PS脚本都会作为计划任务运行。 - PS脚本将捕获日志文件并在每次更改时发送电子邮件(创建,重命名,删除,更改)。
Powershell脚本SystemFileMonitor运行良好,但没有捕获进行更改的用户名,而是始终捕获正在运行计划任务的用户名。
有什么想法吗?我甚至试图捕获服务所有者,但仍然存在同样的问题。
以下是代码:
*$location = Get-location
$machine = [Environment]::MachineName
$userLogged = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$userLogged1 = (Get-WmiObject Win32_Process -Filter "Name='explorer.exe'").getOwner() | Select User
$folder = "C:\apache-tomcat-8.0.33\webapps"
$filter = "*.ini"
$fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{
IncludeSubdirectories = $false NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'
}
$onCreated = Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action{
$path = $Event.SourceEventArgs.FullPath
$name = $Event.SourceEventArgs.Name
$changeType = $Event.SourceEventArgs.ChangeType
$timeStamp = $Event.TimeGenerated
Write-Host "The file '$name' was $changeType at $timeStamp" and $userLogged and Process Owner '$userLogged1' -fore green
Out-File -FilePath $location\logs\INI-outlog-Created.txt -Append -InputObject "The file '$name' was '$changeType' at '$timeStamp' on machine '$machine' on Path:'$path' , by user '$userLogged' Process Owner '$userLogged1'"
#SEND EMAIL#
$From = "test@test.com"
$To = "test1@test.com"
$Cc = "test2@test.com"
$Attachment = "$location\logs\INI-outlog-Created.txt"
$Subject = "File Created – CHANGE ALERT SERVERTRUNK"
$Body = "File Created @ SERVERTRUNK – The file '$name' was '$changeType' at '$timeStamp' on machine '$machine' on Path:'$path' , by user '$userLogged' Process Owner '$userLogged1'"
$SMTPServer = "MailServer"
Send-MailMessage -From $From -to $To -Cc $Cc -Subject $Subject -Body $Body -SmtpServer $SMTPServer -Attachments $Attachment -Priority High -dno onSuccess, onFailure}*
我们总是得到如下所示的Log DUMP(在服务器上运行计划任务的用户名):
该文件已重命名 - Copy.ini'被删除' at' 10/03/2016 10:11:36'在机器' TESTQA'在路径上:' C:\ Monitor1 \ Source1 \ renamed - Copy.ini' ,由用户' @ {User = SVC_TEST}'
感谢您的任何想法。 圣保罗。
答案 0 :(得分:0)