0

我正在尝试做的事情:使用 get-winevent (ID: 4624) 使用 Powershell 获取用户登录统计信息。如果您知道更好的方法,我不反对其他建议。我已经让它工作了,但它的格式不是我需要的。这是我拥有的 Powershell 代码(我是 Powershell 新手,但有些东西类似于 PHP,我很熟悉):

$LogonIDs = "4624"
$computers = get-content "c:\computers.txt"
foreach($pc in $computers) {
    if(test-connection $pc -count 1 -quiet) {
        write-host "Acquiring information for $pc"
        foreach ($item in $LogonIDs) {
            (Get-WinEvent -computername $pc -max 2000 -FilterHashtable @{Logname='security';Id=$item} `
                | Select TimeCreated,Message `
                | fl * `
                | findstr /G:c:\search.lst) `
                -replace "^[\s]+","" `
                -replace "[\s]+"," " `
                | out-file -append "c:\scripts\winevent\$LogonIDs.txt" 
        }
    }
    else {
        write-host "Couldn't ping $pc"
    }
}

search.lst 有以下信息:

TimeCreated
Account Name:
Logon Type:
Logon GUID:
Logon Type:
Process Name:

该脚本将导出如下内容:

TimeCreated : 5/2/2013 7:19:39 AM
Account Name: COMPUTERNAME$
Logon Type: 2
Account Name: [USERNAME]
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Name: C:\Windows\System32\winlogon.exe
TimeCreated : 5/2/2013 7:19:39 AM
Account Name: COMPUTERNAME$
Logon Type: 2
Account Name: [USERNAME]
Logon GUID: {AKEJ38DJ-3K45-3LKD-3LKD-DKEJ3787DJJ3}
Process Name: C:\Windows\System32\winlogon.exe
TimeCreated : 5/2/2013 6:50:42 AM
Account Name: -
Logon Type: 3
Account Name: COMPUTERNAME$
Logon GUID: {K458D890-3KJ8-DK3J-DK39-3LDJK23LD909}
Process Name: -
TimeCreated : 5/2/2013 6:27:22 AM
Account Name: COMPUTERNAME$
Logon Type: 5
Account Name: SYSTEM
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Name: C:\Windows\System32\services.exe

这个脚本导出了所有很棒的东西,但是我在使用 Powershell 格式化和解析不需要的信息方面很糟糕。我可以使用 PHP 格式化我需要的所有内容,但是如果有人可以帮助我使用 Powershell 清除特定信息,那就太好了。

1) Explode at TimeCreated to create array
2) If Logon Type = 2, proceed, else skip to next value;
3) If Process Name contains winlogon.exe, proceed, else skip to next value;
4) If GUID = {00000000-0000-0000-0000-000000000000}, skip to next value;
5) If GUID != {00000000-0000-0000-0000-000000000000}, Account Name[0] = computername, Account Name[1] = Username, build new array with this information

这是我用来执行此操作的 PHP:

$file = "4624.txt";
$file_explode = explode("TimeCreated",$file);
while(list($k,$v) = each($file_explode)) {
    $account_name = "";
    $time = "";
    if(preg_match("/Logon Type\:[\s]+2/msU",$v)) {
        if(preg_match("/winlogon\.exe/msU",$v)) {
            if(strstr($v,"{00000000-0000-0000-0000-000000000000}")) {
                continue;
            }
            else {
                preg_match("/[\s]+\:[\s]+(.*)$/msU",$v,$time);
                preg_match_all("/Account Name\:[\s]+(.*)$/msU",$v,$account_name);
                $new_arr[] = array(
                    "time" => $time[1],
                    "computer_name" => $account_name[1][0],
                    "user" => $account_name[1][1]
                );
            }
        }
    }
}

我不能使用那个 PHP(我刚刚发现)的原因是我不能将 4624.txt 发布到我的 Web 服务器,因为它包含 PII(个人身份信息)。如果有人可以帮助我,我将永远欠你的债;]

-亚当

4

1 回答 1

0

一般来说,我通过在 PowerShell 中创建一个自定义对象来解决这类问题,其中我想要的每条数据都有一个属性。一旦你有了一个对象,使用 Sort-Object、Group-Object、Format-Object 来操作数据就容易多了。

 $LogonIDs = 4624
 $IgnoreLogonGuid = '{00000000-0000-0000-0000-000000000000}'

 function Parse-LogonID4624Event
 {
    param(
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [psobject[]]
        $EventLogEntry
    )

    Process {
        foreach ($ev in $EventLogEntry)
        {
            $TimeCreated = [DateTime]::Parse($ev.TimeCreated)

            $AccountName = 'not found'
            if ($ev.Message -match '(?ims)New Logon:.*?Account Name:\s*(\S+)')
            {
                $AccountName =  $matches[1]
            }

            $LogonGuid = 'not found'
            if ($ev.Message -match '(?ims)^\s+Logon GUID:\s*(\S+)')
            {
                $LogonGuid =  $matches[1]
            }

            $obj = [pscustomobject] @{
                    TimeCreated = $TimeCreated
                    AccountName = $AccountName
                    LogonGuid = $LogonGuid
                    Message = $ev.Message
            }
            $obj
        }
    }
 }

 Get-WinEvent -max 20 -FilterHashtable @{LogName='Security';ID=$LogonIDs} | 
     Parse-LogonID4624Event |
     Where LogonGuid -ne $IgnoreLogonGuid 

此实现不会获取您需要的所有字段,但我认为您可以轻松了解如何冲洗和重复您需要的其他字段。请注意,此实现使用 PowerShell v3 特定功能。如果您在 v2 上需要这个,请告诉我。它应该只需要一些调整。

于 2013-05-10T00:05:00.870 回答