也许我会以错误的方式解决这个问题,但这就是我拥有的和我得到的:
Get-WinEvent -FilterHashtable @{logname='security'; id=4663;} | ?{$_.message -match "DELETE" -And $_.message -match "C:\\Shares\\Share" -And $_.message -NotMatch ".tmp|~\\$"} | Select -expand Message
我得到了这个输出:
Subject:
Security ID: S-1-5-21-
Account Name: name
Account Domain: domain
Logon ID: 0x9CD04EC
Object:
Object Server: Security
Object Type: File
Object Name: C:\Shares\
Handle ID: 0x5504
Resource Attributes: S:AI
Process Information:
Process ID: 0x4
Process Name:
Access Request Information:
Accesses: DELETE
Access Mask: 0x10000
An attempt was made to access an object.
有没有办法只提取Logn ID和Object Name?
答案 0 :(得分:2)
假设您将单个条目的值设置为变量$message。该值将是包含多行的单个字符串。
您需要搜索字符串的内容,并且有多种方法可以执行此操作。这有两种方法:
管道到findstr:
& "echo" $message | findstr /im /C:"Logon ID"
& "echo" $message | findstr /im /C:"Object Name"
按NewLine拆分,输入foreach并使用正则表达式:
$message -split [Environment]::NewLine | foreach{if ($_ -match "Logon ID|Object Name") {$_}}
请注意,这将为您提供如下所示的输出:
Logon ID: 0x9CD04EC
Object Name: C:\Shares\
您仍需要做一些工作来分隔这些行的值。类似的东西:
$logonID = & "echo" $message | findstr /im /C:"Logon ID"
($logonID -split " ")[1]