如何在 get-eventlog 中排除特定用户

Question

我有以下脚本

get-eventlog -LogName Security -InstanceId 4663 -after (Get-Date).AddMonths(-1) -before (Get-Date) |
Select TimeWritten, @{Name="Account Name";Expression={ $_.ReplacementStrings[1]}}, @{Name="Object Name";e= {$_.ReplacementStrings[6]}}  |
Export-Csv "archive $(Get-Date -UFormat "%m.%d.%Y").csv" -NoType

我试过添加 Where 语句

@{Name="Account Name";Expression={ $_.ReplacementStrings[1]} -notlike "user"}

或

$_.username -notlike "user"

然而，两者似乎都不会影响日志的结果。

我做错了什么？

Answer 1

当你使用-Like和-Notlike时，你必须指定一个通配符，使用星号*

像这样：

get-eventlog -LogName Security -InstanceId 4663 -after (Get-Date).AddMonths(-1) -before (Get-Date) |
    Where-Object {$_.username -notlike "*UserName*"} | 
        Select TimeWritten, @{Name="Account Name";Expression={ $_.ReplacementStrings[1]}}, @{Name="Object Name";e= {$_.ReplacementStrings[6]}}  |
            Export-Csv "archive $(Get-Date -UFormat "%m.%d.%Y").csv" -NoType

Answer 2

我的解决方案最终使用 -NotMatch 而不是 -notlike

来自 https://social.technet.microsoft.com/Forums/ie/en-US/d6a2e073-ada4-4b4f-8cd5-1ebe9256fcfe/geteventlog-and-message-details?forum=winserverpowershell

get-eventlog -LogName Security -InstanceId 4663 -after (Get-Date).AddMonths(-1) -before (Get-Date) | 
Where {$_.message -notmatch "Account Name:\s*user*"} |
Select TimeWritten, @{Name="Account Name";Expression={ $_.ReplacementStrings[1] }}, @{Name="Object Name";e= {$_.ReplacementStrings[6]}}  |
Export-Csv "archive $(Get-Date -UFormat "%m.%d.%Y").csv" -NoType

如何在 get-eventlog 中排除特定用户

How to exclude specific user in get-eventlog

powershell

event-log

get-eventlog