PowerShell 正在解析 Win 事件 XML
PowerShell parsing Win-Event XML
我已经为此奋斗了几个小时(别笑)。我需要的东西真的很简单,但我就是做不到。我避免使用 Powershell,但我真的很想将它添加到我的投资组合中。每次我尝试它,它都会让我生气。无论如何...
活动数据如下:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 21/10/2020 14:17:13
Event ID: 4725
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: V-XXXXX1.opXXl.local
Description:
A user account was disabled.
Subject:
Security ID: OPXXL\w126389
Account Name: w126389
Account Domain: OPXXL
Logon ID: 0x43846C4
Target Account:
Security ID: OPXXL\nmctest
Account Name: nmctest
Account Domain: OPXXL
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4725</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-10-21T13:17:13.084423200Z" />
<EventRecordID>118968190</EventRecordID>
<Correlation />
<Execution ProcessID="640" ThreadID="1280" />
<Channel>Security</Channel>
<Computer>V-NXXXXX1.oXXl.local</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">nmctest</Data>
<Data Name="TargetDomainName">OXXL</Data>
<Data Name="TargetSid">S-1-5-21-3289407757-3693523607-1375118011-18123</Data>
<Data Name="SubjectUserSid">S-1-5-21-3289407757-3693523607-1375118011-1134</Data>
<Data Name="SubjectUserName">w126389</Data>
<Data Name="SubjectDomainName">OXXXL</Data>
<Data Name="SubjectLogonId">0x43846c4</Data>
</EventData>
</Event>
$events = Get-WinEvent -FilterHashtable @{logname="Security";id=4725}
$event = [xml]$events[0].ToXml()
$eventdate = $event | Select-Object -Expand TimeCreated |ForEach-Object {
$date = [DateTime]$_
$date.ToString("yyyy-MM-ddTHH:mm:ss.ffffff")
}
$eventdate + "," + $event.SelectSingleNode("//*[@Name='TargetUserName']")."#text" + ",Account was disabled," + $event.SelectSingleNode("//*[@Name='SubjectUserName']")."#text"
输出结果如下:
PS C:\Windows\system32> C:\Users\w126389\Documents\event logs.ps1
Select-Object : Property "TimeCreated" cannot be found.
At C:\Users\w126389\Documents\event logs.ps1:3 char:23
+ $eventdate = $event | Select-Object -Expand TimeCreated |ForEach-Obje ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (#document:PSObject) [Select-Object], PSArgumentException
+ FullyQualifiedErrorId : ExpandPropertyNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand
,nmctest,Account was disabled,w126389
我期望的输出是:
2020-10-21 13:17:13,nmctest,Account was disabled,w126389
你可以看到我得到了我需要的其他字段,除了日期之外的所有内容!
如有任何帮助,我们将不胜感激。
谢谢。
TimeCreated 是由 Get-WinEvent:
返回的原始 EventLogRecord 对象的 属性
$eventdate = $events[0].TimeCreated.ToString("yyyy-MM-ddTHH:mm:ss.ffffff")
我已经为此奋斗了几个小时(别笑)。我需要的东西真的很简单,但我就是做不到。我避免使用 Powershell,但我真的很想将它添加到我的投资组合中。每次我尝试它,它都会让我生气。无论如何...
活动数据如下:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 21/10/2020 14:17:13
Event ID: 4725
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: V-XXXXX1.opXXl.local
Description:
A user account was disabled.
Subject:
Security ID: OPXXL\w126389
Account Name: w126389
Account Domain: OPXXL
Logon ID: 0x43846C4
Target Account:
Security ID: OPXXL\nmctest
Account Name: nmctest
Account Domain: OPXXL
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4725</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-10-21T13:17:13.084423200Z" />
<EventRecordID>118968190</EventRecordID>
<Correlation />
<Execution ProcessID="640" ThreadID="1280" />
<Channel>Security</Channel>
<Computer>V-NXXXXX1.oXXl.local</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">nmctest</Data>
<Data Name="TargetDomainName">OXXL</Data>
<Data Name="TargetSid">S-1-5-21-3289407757-3693523607-1375118011-18123</Data>
<Data Name="SubjectUserSid">S-1-5-21-3289407757-3693523607-1375118011-1134</Data>
<Data Name="SubjectUserName">w126389</Data>
<Data Name="SubjectDomainName">OXXXL</Data>
<Data Name="SubjectLogonId">0x43846c4</Data>
</EventData>
</Event>
$events = Get-WinEvent -FilterHashtable @{logname="Security";id=4725}
$event = [xml]$events[0].ToXml()
$eventdate = $event | Select-Object -Expand TimeCreated |ForEach-Object {
$date = [DateTime]$_
$date.ToString("yyyy-MM-ddTHH:mm:ss.ffffff")
}
$eventdate + "," + $event.SelectSingleNode("//*[@Name='TargetUserName']")."#text" + ",Account was disabled," + $event.SelectSingleNode("//*[@Name='SubjectUserName']")."#text"
输出结果如下:
PS C:\Windows\system32> C:\Users\w126389\Documents\event logs.ps1
Select-Object : Property "TimeCreated" cannot be found.
At C:\Users\w126389\Documents\event logs.ps1:3 char:23
+ $eventdate = $event | Select-Object -Expand TimeCreated |ForEach-Obje ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (#document:PSObject) [Select-Object], PSArgumentException
+ FullyQualifiedErrorId : ExpandPropertyNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand
,nmctest,Account was disabled,w126389
我期望的输出是:
2020-10-21 13:17:13,nmctest,Account was disabled,w126389
你可以看到我得到了我需要的其他字段,除了日期之外的所有内容!
如有任何帮助,我们将不胜感激。
谢谢。
TimeCreated 是由 Get-WinEvent:
EventLogRecord 对象的 属性
$eventdate = $events[0].TimeCreated.ToString("yyyy-MM-ddTHH:mm:ss.ffffff")