审核登录远程桌面的用户,过滤掉本地IP地址
Auditing Users logging on Remote Desktop, filter out local IP addresses
我从网上某处获取了一个 PowerShell(忘了从哪里)修改了一下,但我需要过滤掉本地 IP 地址范围并仅显示外部 IP 有人可以帮我修改脚本来做到这一点吗?
我的本地IP地址范围是192.168.1.0/254
Param(
[array]$V_V_Array_String_ComputerName = ("BAYVL00-118"),
[datetime]$L_V_1_String_QueryStartDate = "November 1, 2020"
)
ForEach ($L_V_1_String_ComputerName in $V_V_Array_String_ComputerName){
$L_V_1_String_EventLogFilter = @{
LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
ID = 21, 23, 24, 25
StartTime = (get-date).adddays(-7)
}
$L_V_1_String_GetAllEventLog = Get-WinEvent -FilterHashtable $L_V_1_String_EventLogFilter -ComputerName $L_V_1_String_ComputerName
$L_V_1_String_GetAllEventLog | Foreach {
$L_V_1_String_EventLog = [xml]$_.ToXml()
[array]$L_V_1_Array_OutputToFile += New-Object PSObject -Property @{
TimeCreated = $_.TimeCreated
User = $L_V_1_String_EventLog.Event.UserData.EventXML.User
IPAddress = $L_V_1_String_EventLog.Event.UserData.EventXML.Address
EventID = $L_V_1_String_EventLog.Event.System.EventID
ServerName = $L_V_1_String_ComputerName
}
}
}
$L_V_1_Array_FilterOutputFile += $L_V_1_Array_OutputToFile | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
if ($_.EventID -eq '21'){"logon"}
if ($_.EventID -eq '22'){"Shell start"}
if ($_.EventID -eq '23'){"logoff"}
if ($_.EventID -eq '24'){"disconnected"}
if ($_.EventID -eq '25'){"reconnection"}
}
}
$L_V_1_Array_CSVFilePath = "A:\U_A\U_W\C_NonFiledFile\U_zzzzzzzz_zzzzzzzz_zzzzzzzz_BayVL00_CCCCCCC_SubparticipationLogOnReport.csv"
$L_V_1_Array_FilterOutputFile | Sort TimeCreated | Export-Csv $L_V_1_Array_CSVFilePath -NoTypeInformation
假设您的 IP 范围是 192.168.1.0/24 而不是奇怪的 192.168.1.0/254:
Param(
[array]$V_V_Array_String_ComputerName = ("BAYVL00-118"),
[datetime]$L_V_1_String_QueryStartDate = "November 1, 2020"
)
$L_V_1_Array_FilterOutputFile = $null
[PSCustomObject[]]$L_V_1_Array_OutputToFile = @()
ForEach ($L_V_1_String_ComputerName in $V_V_Array_String_ComputerName){
$L_V_1_String_EventLogFilter = @{
LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
ID = 21, 23, 24, 25
StartTime = (get-date).adddays(-7)
}
$L_V_1_String_GetAllEventLog = Get-WinEvent -FilterHashtable $L_V_1_String_EventLogFilter -ComputerName $L_V_1_String_ComputerName
$L_V_1_String_GetAllEventLog | Foreach {
$L_V_1_String_EventLog = [xml]$_.ToXml()
if ($L_V_1_String_EventLog.Event.UserData.EventXML.Address -ne "LOCAL" `
-and $L_V_1_String_EventLog.Event.UserData.EventXML.Address -notmatch "^192\.168\.1\.")
{
[array]$L_V_1_Array_OutputToFile += [PSCustomObject]@{
TimeCreated = $_.TimeCreated
User = $L_V_1_String_EventLog.Event.UserData.EventXML.User
IPAddress = $L_V_1_String_EventLog.Event.UserData.EventXML.Address
EventID = $L_V_1_String_EventLog.Event.System.EventID
ServerName = $L_V_1_String_ComputerName
Action = switch ($L_V_1_String_EventLog.Event.System.EventID)
{
21 {
"logon"
break
}
22 {
"Shell start"
break
}
23 {
"logoff"
break
}
24 {
"disconnected"
break
}
25 {
"reconnection"
break
}
default {
break
}
}
}
}
}
}
$L_V_1_Array_FilterOutputFile += $L_V_1_Array_OutputToFile | Select TimeCreated, User, ServerName, IPAddress, Action
$L_V_1_Array_CSVFilePath = "A:\U_A\U_W\C_NonFiledFile\U_zzzzzzzz_zzzzzzzz_zzzzzzzz_BayVL00_CCCCCCC_SubparticipationLogOnReport.csv"
$L_V_1_Array_FilterOutputFile | Sort TimeCreated | Export-Csv $L_V_1_Array_CSVFilePath -NoTypeInformation
首先,我添加了变量的初始化:
$L_V_1_Array_FilterOutputFile = $null
[PSCustomObject[]]$L_V_1_Array_OutputToFile = @()
如果脚本多次运行,这将避免问题
其次,我使用 PSCustomObject 而不是 PSObject,现在是更好的方法。
第三次直接在对象创建中更改了 'Action' 成员(switch 声明如果这里比多个 if.
第四,您已经为 EventID 22 定义了 Action 成员,但没有检索它(参见 $L_V_1_String_EventLogFilter)我保持原样,但如果您想要 EventID 22,则需要添加它。
最后,我很快就完成了,但是您可以做一些改进以获得更具可读性和更快的脚本。
我从网上某处获取了一个 PowerShell(忘了从哪里)修改了一下,但我需要过滤掉本地 IP 地址范围并仅显示外部 IP 有人可以帮我修改脚本来做到这一点吗?
我的本地IP地址范围是192.168.1.0/254
Param(
[array]$V_V_Array_String_ComputerName = ("BAYVL00-118"),
[datetime]$L_V_1_String_QueryStartDate = "November 1, 2020"
)
ForEach ($L_V_1_String_ComputerName in $V_V_Array_String_ComputerName){
$L_V_1_String_EventLogFilter = @{
LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
ID = 21, 23, 24, 25
StartTime = (get-date).adddays(-7)
}
$L_V_1_String_GetAllEventLog = Get-WinEvent -FilterHashtable $L_V_1_String_EventLogFilter -ComputerName $L_V_1_String_ComputerName
$L_V_1_String_GetAllEventLog | Foreach {
$L_V_1_String_EventLog = [xml]$_.ToXml()
[array]$L_V_1_Array_OutputToFile += New-Object PSObject -Property @{
TimeCreated = $_.TimeCreated
User = $L_V_1_String_EventLog.Event.UserData.EventXML.User
IPAddress = $L_V_1_String_EventLog.Event.UserData.EventXML.Address
EventID = $L_V_1_String_EventLog.Event.System.EventID
ServerName = $L_V_1_String_ComputerName
}
}
}
$L_V_1_Array_FilterOutputFile += $L_V_1_Array_OutputToFile | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
if ($_.EventID -eq '21'){"logon"}
if ($_.EventID -eq '22'){"Shell start"}
if ($_.EventID -eq '23'){"logoff"}
if ($_.EventID -eq '24'){"disconnected"}
if ($_.EventID -eq '25'){"reconnection"}
}
}
$L_V_1_Array_CSVFilePath = "A:\U_A\U_W\C_NonFiledFile\U_zzzzzzzz_zzzzzzzz_zzzzzzzz_BayVL00_CCCCCCC_SubparticipationLogOnReport.csv"
$L_V_1_Array_FilterOutputFile | Sort TimeCreated | Export-Csv $L_V_1_Array_CSVFilePath -NoTypeInformation
假设您的 IP 范围是 192.168.1.0/24 而不是奇怪的 192.168.1.0/254:
Param(
[array]$V_V_Array_String_ComputerName = ("BAYVL00-118"),
[datetime]$L_V_1_String_QueryStartDate = "November 1, 2020"
)
$L_V_1_Array_FilterOutputFile = $null
[PSCustomObject[]]$L_V_1_Array_OutputToFile = @()
ForEach ($L_V_1_String_ComputerName in $V_V_Array_String_ComputerName){
$L_V_1_String_EventLogFilter = @{
LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
ID = 21, 23, 24, 25
StartTime = (get-date).adddays(-7)
}
$L_V_1_String_GetAllEventLog = Get-WinEvent -FilterHashtable $L_V_1_String_EventLogFilter -ComputerName $L_V_1_String_ComputerName
$L_V_1_String_GetAllEventLog | Foreach {
$L_V_1_String_EventLog = [xml]$_.ToXml()
if ($L_V_1_String_EventLog.Event.UserData.EventXML.Address -ne "LOCAL" `
-and $L_V_1_String_EventLog.Event.UserData.EventXML.Address -notmatch "^192\.168\.1\.")
{
[array]$L_V_1_Array_OutputToFile += [PSCustomObject]@{
TimeCreated = $_.TimeCreated
User = $L_V_1_String_EventLog.Event.UserData.EventXML.User
IPAddress = $L_V_1_String_EventLog.Event.UserData.EventXML.Address
EventID = $L_V_1_String_EventLog.Event.System.EventID
ServerName = $L_V_1_String_ComputerName
Action = switch ($L_V_1_String_EventLog.Event.System.EventID)
{
21 {
"logon"
break
}
22 {
"Shell start"
break
}
23 {
"logoff"
break
}
24 {
"disconnected"
break
}
25 {
"reconnection"
break
}
default {
break
}
}
}
}
}
}
$L_V_1_Array_FilterOutputFile += $L_V_1_Array_OutputToFile | Select TimeCreated, User, ServerName, IPAddress, Action
$L_V_1_Array_CSVFilePath = "A:\U_A\U_W\C_NonFiledFile\U_zzzzzzzz_zzzzzzzz_zzzzzzzz_BayVL00_CCCCCCC_SubparticipationLogOnReport.csv"
$L_V_1_Array_FilterOutputFile | Sort TimeCreated | Export-Csv $L_V_1_Array_CSVFilePath -NoTypeInformation
首先,我添加了变量的初始化:
$L_V_1_Array_FilterOutputFile = $null
[PSCustomObject[]]$L_V_1_Array_OutputToFile = @()
如果脚本多次运行,这将避免问题
其次,我使用 PSCustomObject 而不是 PSObject,现在是更好的方法。
第三次直接在对象创建中更改了 'Action' 成员(switch 声明如果这里比多个 if.
第四,您已经为 EventID 22 定义了 Action 成员,但没有检索它(参见 $L_V_1_String_EventLogFilter)我保持原样,但如果您想要 EventID 22,则需要添加它。
最后,我很快就完成了,但是您可以做一些改进以获得更具可读性和更快的脚本。