Php 从文件创建数组并使用Powershell格式化
我正在尝试做什么:使用Get-winevent(ID:4624)获取Powershell的用户登录统计信息。如果你知道更好的方法,我不反对其他建议。我已经让它工作了,但它不是我所需要的格式。这是我的Powershell代码(我是Powershell新手,但有些东西与PHP类似,我很熟悉): search.lst具有以下信息:Php 从文件创建数组并使用Powershell格式化,php,arrays,powershell,format,Php,Arrays,Powershell,Format,我正在尝试做什么:使用Get-winevent(ID:4624)获取Powershell的用户登录统计信息。如果你知道更好的方法,我不反对其他建议。我已经让它工作了,但它不是我所需要的格式。这是我的Powershell代码(我是Powershell新手,但有些东西与PHP类似,我很熟悉): search.lst具有以下信息: TimeCreated Account Name: Logon Type: Logon GUID: Logon Type: Process Name: 脚本将导出如下内容
TimeCreated
Account Name:
Logon Type:
Logon GUID:
Logon Type:
Process Name:
脚本将导出如下内容:
TimeCreated : 5/2/2013 7:19:39 AM
Account Name: COMPUTERNAME$
Logon Type: 2
Account Name: [USERNAME]
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Name: C:\Windows\System32\winlogon.exe
TimeCreated : 5/2/2013 7:19:39 AM
Account Name: COMPUTERNAME$
Logon Type: 2
Account Name: [USERNAME]
Logon GUID: {AKEJ38DJ-3K45-3LKD-3LKD-DKEJ3787DJJ3}
Process Name: C:\Windows\System32\winlogon.exe
TimeCreated : 5/2/2013 6:50:42 AM
Account Name: -
Logon Type: 3
Account Name: COMPUTERNAME$
Logon GUID: {K458D890-3KJ8-DK3J-DK39-3LDJK23LD909}
Process Name: -
TimeCreated : 5/2/2013 6:27:22 AM
Account Name: COMPUTERNAME$
Logon Type: 5
Account Name: SYSTEM
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Name: C:\Windows\System32\services.exe
这个脚本导出了所有很棒的东西,但我在使用Powershell格式化和解析不需要的信息方面非常糟糕。我可以用PHP格式化所有需要的内容,但如果有人能帮我用Powershell删除特定信息,那就太棒了
1) Explode at TimeCreated to create array
2) If Logon Type = 2, proceed, else skip to next value;
3) If Process Name contains winlogon.exe, proceed, else skip to next value;
4) If GUID = {00000000-0000-0000-0000-000000000000}, skip to next value;
5) If GUID != {00000000-0000-0000-0000-000000000000}, Account Name[0] = computername, Account Name[1] = Username, build new array with this information
下面是我用来做这件事的PHP:
$file = "4624.txt";
$file_explode = explode("TimeCreated",$file);
while(list($k,$v) = each($file_explode)) {
$account_name = "";
$time = "";
if(preg_match("/Logon Type\:[\s]+2/msU",$v)) {
if(preg_match("/winlogon\.exe/msU",$v)) {
if(strstr($v,"{00000000-0000-0000-0000-000000000000}")) {
continue;
}
else {
preg_match("/[\s]+\:[\s]+(.*)$/msU",$v,$time);
preg_match_all("/Account Name\:[\s]+(.*)$/msU",$v,$account_name);
$new_arr[] = array(
"time" => $time[1],
"computer_name" => $account_name[1][0],
"user" => $account_name[1][1]
);
}
}
}
}
我不能使用PHP(我刚刚发现)的原因是我不能将4624.txt发布到我的web服务器,因为它包含PII(个人可识别信息)。如果有人能帮我,我将永远欠你的债;]
-Adam通常,我通过在PowerShell中创建一个自定义对象来解决这类问题,在该对象中,我需要的每一条数据都有一个属性。一旦有了对象,使用排序对象、分组对象、格式化对象来操作数据就容易多了
$LogonIDs = 4624
$IgnoreLogonGuid = '{00000000-0000-0000-0000-000000000000}'
function Parse-LogonID4624Event
{
param(
[Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
[psobject[]]
$EventLogEntry
)
Process {
foreach ($ev in $EventLogEntry)
{
$TimeCreated = [DateTime]::Parse($ev.TimeCreated)
$AccountName = 'not found'
if ($ev.Message -match '(?ims)New Logon:.*?Account Name:\s*(\S+)')
{
$AccountName = $matches[1]
}
$LogonGuid = 'not found'
if ($ev.Message -match '(?ims)^\s+Logon GUID:\s*(\S+)')
{
$LogonGuid = $matches[1]
}
$obj = [pscustomobject] @{
TimeCreated = $TimeCreated
AccountName = $AccountName
LogonGuid = $LogonGuid
Message = $ev.Message
}
$obj
}
}
}
Get-WinEvent -max 20 -FilterHashtable @{LogName='Security';ID=$LogonIDs} |
Parse-LogonID4624Event |
Where LogonGuid -ne $IgnoreLogonGuid
这个实现并没有抓住您需要的所有字段,但是我认为您可以很容易地看到如何清洗和重复您需要的其他字段。请注意,此实现使用PowerShell v3特定的功能。如果你在v2上需要这个,请告诉我。它应该只需要几次调整。非常出色-非常感谢,基思-效果非常好;]
$LogonIDs = 4624
$IgnoreLogonGuid = '{00000000-0000-0000-0000-000000000000}'
function Parse-LogonID4624Event
{
param(
[Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
[psobject[]]
$EventLogEntry
)
Process {
foreach ($ev in $EventLogEntry)
{
$TimeCreated = [DateTime]::Parse($ev.TimeCreated)
$AccountName = 'not found'
if ($ev.Message -match '(?ims)New Logon:.*?Account Name:\s*(\S+)')
{
$AccountName = $matches[1]
}
$LogonGuid = 'not found'
if ($ev.Message -match '(?ims)^\s+Logon GUID:\s*(\S+)')
{
$LogonGuid = $matches[1]
}
$obj = [pscustomobject] @{
TimeCreated = $TimeCreated
AccountName = $AccountName
LogonGuid = $LogonGuid
Message = $ev.Message
}
$obj
}
}
}
Get-WinEvent -max 20 -FilterHashtable @{LogName='Security';ID=$LogonIDs} |
Parse-LogonID4624Event |
Where LogonGuid -ne $IgnoreLogonGuid