我需要從事件日志中讀取特定資訊。在下面的腳本中,我無法匯出 XML 視圖中包含的某些值。在 XML 視圖中,我想要目標用戶名:BRSYSAD 和 Subjectusername:900011-LT
腳本
$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
# convert the event to XML and grab the Event node
$eventXml = ([xml]$_.ToXml()).Event
# output the properties you need
[PSCustomObject]@{
EventID = $eventXml.System.EventID.'#text'
TimeCreated = $eventXml.System.TimeCreated.SystemTime -replace '\.\d .*$'
Computer = $eventXml.System.Computer
Data = $eventXml.EventData.Data
}
}
# output on screen
$result | Format-Table -AutoSize
# save as CSV file if you like
$result | Export-Csv -Path 'C:\MyProgr_Events_302.csv' -NoTypeInformation
uj5u.com熱心網友回復:
您應該能夠通過過濾那些特別命名的屬性來獲取TargetUserName和屬性。SubjectUserNameEventData
示例代碼已更新(我還.'#text'從 EventID 行中洗掉了該部分以確保捕獲此值)
$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
# convert the event to XML and grab the Event node
$eventXml = ([xml]$_.ToXml()).Event
# output the properties you need
[PSCustomObject]@{
EventID = $eventXml.System.EventID
TimeCreated = $eventXml.System.TimeCreated.SystemTime -replace '\.\d .*$'
Computer = $eventXml.System.Computer
TargetUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "TargetUserName"}).'#text'
SubjectUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "SubjectUserName"}).'#text'
}
}
# output on screen
$result | Format-Table -AutoSize
# save as CSV file if you like
$result | Export-Csv -Path 'C:\MyProgr_Events_302.csv' -NoTypeInformation
如果您愿意,您可以使用以下內容提取所有屬性:
$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
# convert the event to XML and grab the Event node
$eventXml = ([xml]$_.ToXml()).Event
# output the properties you need
$object = [PSCustomObject]@{
EventID = $eventXml.System.EventID
TimeCreated = $eventXml.System.TimeCreated.SystemTime -replace '\.\d .*$'
Computer = $eventXml.System.Computer
}
$eventXml.EventData.Data | ForEach-Object { $object | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_.'#text' }
$object
}
# output on screen$
$result | Format-Table -AutoSize
然后,您將獲得所有可用的屬性,每個結果將包含以下資料:
轉載請註明出處,本文鏈接:https://www.uj5u.com/net/495210.html
標籤:电源外壳