Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/php/278.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Php 从文件创建数组并使用Powershell格式化_Php_Arrays_Powershell_Format - Fatal编程技术网
Fatal编程技术网
  • php/
  • Php 从文件创建数组并使用Powershell格式化

Php 从文件创建数组并使用Powershell格式化

php arrays powershell

Php 从文件创建数组并使用Powershell格式化,php,arrays,powershell,format,Php,Arrays,Powershell,Format,我正在尝试做什么:使用Get-winevent(ID:4624)获取Powershell的用户登录统计信息。如果你知道更好的方法,我不反对其他建议。我已经让它工作了,但它不是我所需要的格式。这是我的Powershell代码(我是Powershell新手,但有些东西与PHP类似,我很熟悉): search.lst具有以下信息: TimeCreated Account Name: Logon Type: Logon GUID: Logon Type: Process Name: 脚本将导出如下内容

我正在尝试做什么:使用Get-winevent(ID:4624)获取Powershell的用户登录统计信息。如果你知道更好的方法,我不反对其他建议。我已经让它工作了,但它不是我所需要的格式。这是我的Powershell代码(我是Powershell新手,但有些东西与PHP类似,我很熟悉):

search.lst具有以下信息:

TimeCreated
Account Name:
Logon Type:
Logon GUID:
Logon Type:
Process Name:
脚本将导出如下内容:

TimeCreated : 5/2/2013 7:19:39 AM
Account Name: COMPUTERNAME$
Logon Type: 2
Account Name: [USERNAME]
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Name: C:\Windows\System32\winlogon.exe
TimeCreated : 5/2/2013 7:19:39 AM
Account Name: COMPUTERNAME$
Logon Type: 2
Account Name: [USERNAME]
Logon GUID: {AKEJ38DJ-3K45-3LKD-3LKD-DKEJ3787DJJ3}
Process Name: C:\Windows\System32\winlogon.exe
TimeCreated : 5/2/2013 6:50:42 AM
Account Name: -
Logon Type: 3
Account Name: COMPUTERNAME$
Logon GUID: {K458D890-3KJ8-DK3J-DK39-3LDJK23LD909}
Process Name: -
TimeCreated : 5/2/2013 6:27:22 AM
Account Name: COMPUTERNAME$
Logon Type: 5
Account Name: SYSTEM
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Name: C:\Windows\System32\services.exe
这个脚本导出了所有很棒的东西,但我在使用Powershell格式化和解析不需要的信息方面非常糟糕。我可以用PHP格式化所有需要的内容,但如果有人能帮我用Powershell删除特定信息,那就太棒了

1) Explode at TimeCreated to create array
2) If Logon Type = 2, proceed, else skip to next value;
3) If Process Name contains winlogon.exe, proceed, else skip to next value;
4) If GUID = {00000000-0000-0000-0000-000000000000}, skip to next value;
5) If GUID != {00000000-0000-0000-0000-000000000000}, Account Name[0] = computername, Account Name[1] = Username, build new array with this information
下面是我用来做这件事的PHP:

$file = "4624.txt";
$file_explode = explode("TimeCreated",$file);
while(list($k,$v) = each($file_explode)) {
    $account_name = "";
    $time = "";
    if(preg_match("/Logon Type\:[\s]+2/msU",$v)) {
        if(preg_match("/winlogon\.exe/msU",$v)) {
            if(strstr($v,"{00000000-0000-0000-0000-000000000000}")) {
                continue;
            }
            else {
                preg_match("/[\s]+\:[\s]+(.*)$/msU",$v,$time);
                preg_match_all("/Account Name\:[\s]+(.*)$/msU",$v,$account_name);
                $new_arr[] = array(
                    "time" => $time[1],
                    "computer_name" => $account_name[1][0],
                    "user" => $account_name[1][1]
                );
            }
        }
    }
}
我不能使用PHP(我刚刚发现)的原因是我不能将4624.txt发布到我的web服务器,因为它包含PII(个人可识别信息)。如果有人能帮我,我将永远欠你的债;]

-Adam

通常,我通过在PowerShell中创建一个自定义对象来解决这类问题,在该对象中,我需要的每一条数据都有一个属性。一旦有了对象,使用排序对象、分组对象、格式化对象来操作数据就容易多了

 $LogonIDs = 4624
 $IgnoreLogonGuid = '{00000000-0000-0000-0000-000000000000}'

 function Parse-LogonID4624Event
 {
    param(
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [psobject[]]
        $EventLogEntry
    )

    Process {
        foreach ($ev in $EventLogEntry)
        {
            $TimeCreated = [DateTime]::Parse($ev.TimeCreated)

            $AccountName = 'not found'
            if ($ev.Message -match '(?ims)New Logon:.*?Account Name:\s*(\S+)')
            {
                $AccountName =  $matches[1]
            }

            $LogonGuid = 'not found'
            if ($ev.Message -match '(?ims)^\s+Logon GUID:\s*(\S+)')
            {
                $LogonGuid =  $matches[1]
            }

            $obj = [pscustomobject] @{
                    TimeCreated = $TimeCreated
                    AccountName = $AccountName
                    LogonGuid = $LogonGuid
                    Message = $ev.Message
            }
            $obj
        }
    }
 }

 Get-WinEvent -max 20 -FilterHashtable @{LogName='Security';ID=$LogonIDs} | 
     Parse-LogonID4624Event |
     Where LogonGuid -ne $IgnoreLogonGuid
这个实现并没有抓住您需要的所有字段,但是我认为您可以很容易地看到如何清洗和重复您需要的其他字段。请注意,此实现使用PowerShell v3特定的功能。如果你在v2上需要这个,请告诉我。它应该只需要几次调整。

非常出色-非常感谢,基思-效果非常好;] 
 $LogonIDs = 4624
 $IgnoreLogonGuid = '{00000000-0000-0000-0000-000000000000}'

 function Parse-LogonID4624Event
 {
    param(
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [psobject[]]
        $EventLogEntry
    )

    Process {
        foreach ($ev in $EventLogEntry)
        {
            $TimeCreated = [DateTime]::Parse($ev.TimeCreated)

            $AccountName = 'not found'
            if ($ev.Message -match '(?ims)New Logon:.*?Account Name:\s*(\S+)')
            {
                $AccountName =  $matches[1]
            }

            $LogonGuid = 'not found'
            if ($ev.Message -match '(?ims)^\s+Logon GUID:\s*(\S+)')
            {
                $LogonGuid =  $matches[1]
            }

            $obj = [pscustomobject] @{
                    TimeCreated = $TimeCreated
                    AccountName = $AccountName
                    LogonGuid = $LogonGuid
                    Message = $ev.Message
            }
            $obj
        }
    }
 }

 Get-WinEvent -max 20 -FilterHashtable @{LogName='Security';ID=$LogonIDs} | 
     Parse-LogonID4624Event |
     Where LogonGuid -ne $IgnoreLogonGuid