目标:创建一个脚本,用于从特定计算机获取最后一天的事件日志,然后查看消息部分以根据特定IP过滤数据(第一个),然后仅针对以特定关键字开头的项目再次过滤该数据,然后输出到HTML。
代码:
$fileDate = (Get-Date -Format ddMMyyyy) + ".html"
$EventGrab = Invoke-Command {
Get-EventLog -LogName Security -After (Get-Date).AddDays(-1) -EntryType FailureAudit
} -ComputerName whatever
$EventGrab |
Sort-Object -Property TimeWritten -Descending |
Select-String -InputObject {$_.TimeWritten,$_.message} -Pattern "10.1.2.13" |
ConvertTo-Html |
Out-File C:\$fileDate
粗略步骤:
问题出在第3步和第4步之间;我需要弄清楚在第3步之后再次过滤消息,它将获取消息字段并仅查看特定语法(例如LTC),然后输出该数据,如果它发现它到HTML文件中。
我认为它只是另一个Select-String,或其他东西,但无法弄明白。
示例输入(@ Select-String部分):
02/08/2017 15:51:57 Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-0-0
Account Name: <scrubbed>
Account Domain: <scrubbed>
Fully Qualified Account Name: <scrubbed>
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-1B-53-41-5A-57
Calling Station Identifier: F8-CA-B8-57-1A-9B
NAS:
NAS IPv4 Address: 10.1.2.13
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50324
RADIUS Client:
Client Friendly Name: <scrubbed>
Client IP Address: 10.1.2.13
Authentication Details:
Connection Request Policy Name: <scrubbed>
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: <scrubbed>
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 8
Reason: The specified user account does not exist.
预期产出:
以上内容已更改,因此只有帐户名称为host/LTC<whatever>。
答案 0 :(得分:0)
使用inp过滤记录,使用Where-Object从邮件中提取字符串:
Select-String