如何使用PowerShell根据安全ID(SID)和EventID筛选windows事件安全日志
当我分别按EventId和安全Id(SID)过滤Windows安全日志时,我得到了输出。现在我想合并这两个过滤器。我想同时按EventId和SID进行筛选。如果SID为“系统”,则应将其过滤掉。如何合并这两个过滤器。 以下是筛选EventID的代码:如何使用PowerShell根据安全ID(SID)和EventID筛选windows事件安全日志,powershell,security,window,event-viewer,Powershell,Security,Window,Event Viewer,当我分别按EventId和安全Id(SID)过滤Windows安全日志时,我得到了输出。现在我想合并这两个过滤器。我想同时按EventId和SID进行筛选。如果SID为“系统”,则应将其过滤掉。如何合并这两个过滤器。 以下是筛选EventID的代码: Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" | where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -e
Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" | where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689} |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
以下是基于SID进行筛选的代码:
$out += Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" -FilterXPath '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-21-1004336348-1383384898-1417001333-892045"]]' |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
这对你有用吗
Get-WinEvent -FilterHashtable @{path='C:\Windows\System32\winevt\Logs\Security.evtx'; data = 'S-1-5-21-1004336348-1383384898-1417001333-892045'}| where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689} |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
这只是添加到第一个块的另一个计算属性。没有理由使用单独的代码块 因此,请尝试此操作,以获取所需的组合数据。我们只需按原样编写代码,并使用.Net Xml命名空间获取sid或您选择的任何其他项。当然,您可以根据自己的喜好对最终收藏进行筛选
Clear-Host
Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name="TimeGenerated";Expression={$_."TimeCreated"}},
@{Name="Source";Expression={$_."Id"}},
@{Name="SubjectUserSidValue";Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},Message `
-First 9 `
| Format-table -AutoSize
TimeGenerated Source SubjectUserSidValue Message
------------- ------ ------------------- -------
1/31/2018 5:27:16 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:16 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:16 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:16 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:07 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:07 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:07 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:26:31 AM 4634 S-1-5-21-3... An account was logged off....
1/31/2018 5:26:29 AM 4634 S-1-5-18 An account was logged off....
根据OP附加问题更新
这是您可以从XML中通过数组位置获取的内容
Name #text
---- -----
SubjectUserSid S-1-5-18
SubjectUserName 2012DC$
SubjectDomainName CONTOSO
SubjectLogonId 0x3e7
TargetUserSid S-1-0-0
TargetUserName postanote
TargetDomainName CONTOSO
Status 0xc000015b
FailureReason %%2308
SubStatus 0x0
LogonType 4
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName 2012DC
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x390
ProcessName C:\Windows\System32\svchost.exe
IpAddress -
IpPort -
因此,更新脚本变得
Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name='TimeGenerated';Expression={$_.'TimeCreated'}},
@{Name='Source';Expression={$_.'Id'}},
@{Name='SubjectUserSidValue';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
@{Name='TargetUserName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
@{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
-First 100 `
| Format-table -AutoSize
*再次更新以反映OP下一个问题*强>
根据你最后的问题/要求
然后,对于其他值,更新变为此
如何在解析之前收集完整信息
$Event = Get-WinEvent ...
$Event | Select -Property *
$EventXML = [xml]$Event.ToXml()
$EventXML.Event.EventData.Data
Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name='TimeGenerated';Expression={$_.'TimeCreated'}},
@{Name='EventID';Expression={$_.'Id'}},
@{Name='TaskCategory';Expression={$_.'TaskDisplayName'}},
@{Name='SubjectUserSid';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
@{Name='AccountName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
@{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
-First 9 `
| Format-table -AutoSize
TimeGenerated EventID TaskCategory SubjectUserSid AccountName LogonProcessName
------------- ------- ------------ -------------- ----------- ----------------
2/2/2018 2:41:03 AM 4634 Logoff S-1-5-21-376... spadmin
2/2/2018 2:40:53 AM 4624 Logon S-1-0-0 - -
2/2/2018 2:40:51 AM 4634 Logoff S-1-5-21-376... SKY01$
2/2/2018 2:40:37 AM 4634 Logoff S-1-5-18 DC01$
...
是的,它起作用了。非常感谢:)谢谢你的帮助。我还有一个疑问。在Message列中,我只需要“Account Name”和“Process Name”,而不是整个字符串和完整信息。如何使用与SID的计算字段相同的方法来实现这一点。请参阅我的更新。感谢更新代码。这对理解如何从XML中按数组位置提取有很大帮助。:)但从整个消息中,我需要过滤并打印某些关键字,如“登录”、“EventID:XXXX”、“帐户名:xxxxx”等。XML不包含整个消息。如何获取诸如“logged on”、“logged off”等关键字。正确,XML是消息数据属性的值。此外,UI中显示的名称不是属性的名称。登录是一个名为TaskDisplayName的事件主属性,在消息XML中,帐户名也称为TargetUserName。因此,您所要求的只是添加TaskDisplayName并在计算属性中修改所需的自定义名称。查看我的更新。