Powershell 从GetWinEvent获取用户名
如何从Powershell 从GetWinEvent获取用户名,powershell,event-log,get-eventlog,Powershell,Event Log,Get Eventlog,如何从Get EventLog获取以下输出中“登录失败的帐户”部分的“帐户名”?我知道这涉及到替换字符串,但这并不能解决问题: Get-EventLog -ComputerName fs2 -Logname security | ? {$_.eventid -eq "4625"} | select machinename, eventid, @{n='AccountName';e={$_.ReplacementStrings[2]}}, entrytype, messa
Get EventLog
获取以下输出中“登录失败的帐户”部分的“帐户名”?我知道这涉及到替换字符串,但这并不能解决问题:
Get-EventLog -ComputerName fs2 -Logname security |
? {$_.eventid -eq "4625"} |
select machinename, eventid, @{n='AccountName';e={$_.ReplacementStrings[2]}},
entrytype, message |
Export-Csv 1.csv -NoTypeInformation
示例事件日志条目:
TimeCreated : 5/18/2016 8:55:43 AM
ProviderName : Microsoft-Windows-Security-Auditing
Id : 4625
Message : An account failed to log on.
Subject:
Security ID: S-1-5-21-1287344763-2688370722-3395302928-19873
Account Name: service_adfs
Account Domain: DOMAIN
Logon ID: 0xD62E4
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: user.thatiwant@DOMAIN.com
Account Domain:
您可以在
消息
属性上使用正则表达式:
Account For Which Logon Failed.* Account Name:.+?\b(.*?)\s
下面是您的脚本:
$regex = 'Account For Which Logon Failed.* Account Name:.+?\b(.*?)\s'
get-eventlog -computername fs2 -logname security |
?{$_.eventid -eq "4625"} |
select machinename,eventid,@{n='AccountName';e={[regex]::Match($_.Message,$regex,[System.Text.RegularExpressions.RegexOptions]::Singleline).Groups[1].Value}},entrytype,message |
export-csv 1.csv -NoTypeInformation
工作不顺利
$regex = 'Account For Which Logon Failed.* Account Name:.+?\b(.*?)\s'
get-eventlog -computername fs2 -logname security |
?{$_.eventid -eq "4625"} |
select machinename,eventid,@{n='AccountName';e={[regex]::Match($_.Message,$regex,[System.Text.RegularExpressions.RegexOptions]::Singleline).Groups[1].Value}},entrytype,message |
export-csv 1.csv -NoTypeInformation