1

我正在查询我们 PDC 上的安全事件日志,以观察可能表明主机或用户名受损的趋势。我有代码来收集信息并清理它......

$TargetEvents 最终是这样的:(我不知道如何在我的帖子中格式化一个正常的表格)

主机用户
---- ----
主机 1 用户 1
主机 2 用户 2
主机 1 用户 3
主机 1 用户 4
主机 2 用户 4

$Events= Get-WinEvent -ComputerName MYPDC -FilterHashtable @{Logname='Security';id=4740} -MaxEvents 10
$TargetEvents=@()
foreach ($Event in $Events)
{

    $obj=[PSCustomObject]@{
        Host=$Event.Properties[1].value.ToString()
        User=$Event.Properties[0].value.ToString()
    }
    $TargetEvents+=$obj
}

我希望能够创建一个摘要,但我真的被卡住了。我不专业编程,只是帮助我工作的工具。

这就是我想要创造的:

Host  Frequency
----  ---------
host1 3
host2 2

User  Frequency
----  ---------
user1 1
user2 1
user3 1
user4 2
4

2 回答 2

2

您可以直接将[PSCustomObject]发送到一个收集整个 foreach 输出的变量:

$Events= Get-WinEvent -ComputerName MYPDC -FilterHashtable @{Logname='Security';id=4740} -MaxEvents 10

$TargetEvents= foreach ($Event in $Events){
    [PSCustomObject]@{
        Host=$Event.Properties[1].value.ToString()
        User=$Event.Properties[0].value.ToString()
    }
}

要获取您的数据,您可以Group-Object在此处使用-NoElement仅计数(频率)和Host/User相关

> $TargetEvents | Group-Object Host -NoElement

Count Name
----- ----
    3 host1
    2 host2

要获得您想要的确切输出,请使用 Select-Object使用计算属性将 Count重命名为 Frequency。

$TargetEvents | Group-Object Host -NoElement | Select-Object @{n='Host';e={$_.Name}},@{n='Frequency';e={$_.Count}}

Host  Frequency
----  ---------
host1         3
host2         2

$TargetEvents | Group-Object User -NoElement | Select-Object @{n='User';e={$_.Name}},@{n='Frequency';e={$_.Count}}

User  Frequency
----  ---------
user1         1
user2         1
user3         1
user4         2
于 2019-05-03T19:34:34.130 回答
1

Group-Objectcmdlet 在这里是您的朋友:

# rebuilding your example data

$items = @("host1 user1",
"host2 user2",
"host1 user3",
"host1 user4",
"host2 user4")

$arraylist = New-Object System.Collections.ArrayList

#loop over the objects, split at the space and assign variable values
foreach($item in $items) {
    $thehost = $item.split(' ')[0]
    $theuser = $item.split(' ')[1]

# including | Out-Null just keeps the Add() method from outputting the number of the item
# it does not nullify your data
    $arraylist.Add([PSCustomObject]@{Host=$thehost;User=$theuser}) | Out-null
}

# group by host property

$hostFrequency = $arraylist | Group-Object -Property Host

# group by user property

$userFrequency = $arraylist | Group-Object -Property User

# results arrays

$hostResults = New-Object System.Collections.ArrayList
$userResults = New-Object System.Collections.ArrayList

# group the count of hosts along with corresponding name
foreach($item in $hostFrequency)
{
    $hostResults.Add([PSCustomObject]@{Host = $item.Name; Frequency = $item.Count}) | Out-Null
}

# group the count of users along with corresponding name
foreach($item in $userFrequency)
{
    $userResults.Add([PSCustomObject]@{User = $item.Name; Frequency = $item.Count}) | Out-Null
}

# output all the things
$hostResults | Format-Table
$userResults | Format-Table

输出:

Host  Frequency
----  ---------
host1         3
host2         2



User  Frequency
----  ---------
user1         1
user2         1
user3         1
user4         2
于 2019-05-03T19:18:15.053 回答