我们在运行 W2012 的 QA 机器上使用 IO.FileSystemWatcher 观察程序进行测试。
每次新用户登录机器时,Powershell 脚本都会作为计划任务运行。
Powershell 脚本将捕获日志文件并在每次更改(创建、重命名、删除、更改)时发送电子邮件。
SystemFileMonitor Powershell 脚本运行良好,但没有捕获进行更改的用户的名称;相反,它总是捕获正在运行计划任务的用户的名称。
你有什么主意吗?
我什至尝试捕获服务所有者,但我仍然遇到同样的问题。
这是我正在使用的代码。
*$location = Get-location
$machine = [Environment]::MachineName
$userLogged = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$userLogged1 = (Get-WmiObject Win32_Process -Filter "Name='explorer.exe'").getOwner() | Select User
$folder = "C:\apache-tomcat-8.0.33\webapps"
$filter = "*.ini"
$fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{
IncludeSubdirectories = $false NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'
}
$onCreated = Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action{
$path = $Event.SourceEventArgs.FullPath
$name = $Event.SourceEventArgs.Name
$changeType = $Event.SourceEventArgs.ChangeType
$timeStamp = $Event.TimeGenerated
Write-Host "The file '$name' was $changeType at $timeStamp" and $userLogged and Process Owner '$userLogged1' -fore green
Out-File -FilePath $location\logs\INI-outlog-Created.txt -Append -InputObject "The file '$name' was '$changeType' at '$timeStamp' on machine '$machine' on Path:'$path' , by user '$userLogged' Process Owner '$userLogged1'"
#SEND EMAIL#
$From = "test@test.com"
$To = "test1@test.com"
$Cc = "test2@test.com"
$Attachment = "$location\logs\INI-outlog-Created.txt"
$Subject = "File Created – CHANGE ALERT SERVERTRUNK"
$Body = "File Created @ SERVERTRUNK – The file '$name' was '$changeType' at '$timeStamp' on machine '$machine' on Path:'$path' , by user '$userLogged' Process Owner '$userLogged1'"
$SMTPServer = "MailServer"
Send-MailMessage -From $From -to $To -Cc $Cc -Subject $Subject -Body $Body -SmtpServer $SMTPServer -Attachments $Attachment -Priority High -dno onSuccess, onFailure}*
我总是收到这个消息。
文件 'renamed – Copy.ini' 在 '10/03/2016 10:11:36' 在机器 'TESTQA' 上的 Path:'C:\Monitor1\Source1\renamed – Copy.ini' 上被“删除”,由用户'@{User=SVC_TEST}'