如何获取Powershell>;获取WinEvent>;安全性>;信息>;匹配0x1或0x4的访问掩码
如何获取消息为0x1 | 0x4 |等的安全ID 4663 我尝试了不同的代码,我只想将大约5个代码记录到CSV,我可以导出到CSV,我只能提取4663个ID,但我无法在消息访问掩码上进行过滤,该掩码是消息字段中的文本,任何人都有任何想法,以下是我迄今为止构建的代码:-如何获取Powershell>;获取WinEvent>;安全性>;信息>;匹配0x1或0x4的访问掩码,powershell,message,mask,get-winevent,Powershell,Message,Mask,Get Winevent,如何获取消息为0x1 | 0x4 |等的安全ID 4663 我尝试了不同的代码,我只想将大约5个代码记录到CSV,我可以导出到CSV,我只能提取4663个ID,但我无法在消息访问掩码上进行过滤,该掩码是消息字段中的文本,任何人都有任何想法,以下是我迄今为止构建的代码:- $Results = foreach($server in "server-name") { Get-WinEvent -ComputerName $Server -logname security -MaxEvents
$Results = foreach($server in "server-name")
{
Get-WinEvent -ComputerName $Server -logname security -MaxEvents 10 -ErrorAction SilentlyContinue | where {$_.id -eq "4663"} | select Timecreated, ID, Message | Get-EventLog "Security" -before 4/10/2013 -InstanceId 4663 | % {
New-Object psobject -Property @{
Index = $_.Index
TimeGenerated = $_.TimeGenerated
"Account Name" = $_.ReplacementStrings[1]
"Object Type" = $_.ReplacementStrings[5]
"Object Name" = $_.ReplacementStrings[6]
}
} | Write-Host
这是记录
#$Results = foreach($server in "file-server")
#{
# Get-WinEvent -ComputerName $Server -logname security -MaxEvents 10 -ErrorAction SilentlyContinue | where {$_.id -eq "4663"} | select #Timecreated, ID, Message | Write-Host
结果应该是
帐户名称:对象名称:其中记录是访问掩码之一:“0x0”、“0x1”、“0x2”、“0x4”、“0x20”、“0x40”、“0x10000”
这就是您要查找的吗?因此,让我们更深入地了解窗口事件消息 每条消息都有一个模板。您可以像这样查看模板
(Get-WinEvent -ListProvider * -ErrorAction Ignore).Events |
select Id, Version, Template |
Format-List
我们可以深入挖掘,找到我们正在寻找的活动,也可以像
(Get-WinEvent -ListProvider * -ErrorAction Ignore).Events |
Where-Object {$_.Id -eq 4663} |
select Id, Version, Template |
Format-List
我们可以看到windows中使用了两个版本的模板。我们还可以看到专有名称是什么
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="ObjectServer" inType="win:UnicodeString" outType="xs:string"/>
<data name="ObjectType" inType="win:UnicodeString" outType="xs:string"/>
<data name="ObjectName" inType="win:UnicodeString" outType="xs:string"/>
<data name="HandleId" inType="win:Pointer" outType="win:HexInt64"/>
<data name="AccessList" inType="win:UnicodeString" outType="xs:string"/>
<data name="AccessMask" inType="win:HexInt32" outType="win:HexInt32"/>
<data name="ProcessId" inType="win:Pointer" outType="win:HexInt64"/>
<data name="ProcessName" inType="win:UnicodeString" outType="xs:string"/>
<data name="ResourceAttributes" inType="win:UnicodeString" outType="xs:string"/>
</template>
我们将把输出转换成XML并向下解析以获得这些设置,然后创建一个PSObject来存储所有这些设置。然后我们将每个PSObject添加到ArrayList中
$ArrayList = New-Object System.Collections.ArrayList
Get-WinEvent -logname security -FilterXPath "*[System[EventID=4663]]" -MaxEvents 10 | %{
$XML = [xml]$_.toXml()
$PsObject = New-Object psobject
$XML.Event.EventData.Data | %{
$PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
}
$ArrayList.add($PsObject) | out-null
}
$ArrayList | Select AccessMask
我们在arraylist上只选择了AccessMask,这很好
最后我写了一个函数
function Parse-WindowsEvents(){
param(
[Parameter(Position=1, ValueFromPipeline)]
[object[]]$Events
)
process{
$ArrayList = New-Object System.Collections.ArrayList
$Events | %{
$EventObj = $_
$EventObjFullName = $_.GetType().FullName
if($EventObjFullName -like "System.Diagnostics.EventLogEntry"){
$EventObj = Get-WinEvent -LogName security -FilterXPath "*[System[EventRecordID=$($_.get_Index())]]"
}elseif($EventObjFullName -like "System.Diagnostics.Eventing.Reader.EventLogRecord"){
}else{
throw "Not An Event System.Diagnostics.Eventing.Reader.EventLogRecord or System.Diagnostics.EventLogEntry"
}
$PsObject = New-Object psobject
$EventObj.psobject.properties | %{
$PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_.Value
}
$XML = [xml]$EventObj.toXml()
$PsObject2 = New-Object psobject
$XML.Event.EventData.Data | %{
$PsObject2 | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
}
$PsObject | Add-Member -MemberType NoteProperty -Name ParsedMessage -Value $PsObject2
$ArrayList.add($PsObject) | out-null
}
return $ArrayList
}
}
示例用法
Get-EventLog -LogName Security | select -first 3 | Parse-WindowsEvents | select id, recordid -ExpandProperty parsedmessage | fl
或
该函数将向名为ParsedMessage的对象添加一个新属性Im无法100%确定您想要实现什么。就像你在试图解析信息一样?这是惊人的ArcSet,这是一个很好的解释,这将进入我的Evernote笔记。这是一种享受。祝您度过愉快的一天。@DavidArmstrong我在底部添加了一个可重用的函数感谢ArcSet,它看起来不错,但我就是受不了这些错误,这是我放在行中调用该函数的内容:get winevent-ComputerName$ComputerName-logname security |-FilterXPath“*[System[EventID=4663]”-MaxEvents 5显然我错了。以下是我所拥有的:获取WinEvent-ComputerName$ComputerName-logname安全性-FilterXPath“*[System[EventID=4663]]”-MaxEvents 5 |其中{($.Message-match'\b0x0\b'-或$.Message-match'\b0x1\b'-或$.Message-match'\b0x4\b'-或$.Message-match'\b0x20\b'-或$.Message-match'\X1000\b'}}@DavidArmstrong
Get WinEvent-ComputerName$ComputerName-logname security-FilterXPath“*[System[EventID=4663]]”-MaxEvents 5 | Parse WindowsEvents |?{@(“0x10000”、“0x40”、“0x20”、“0x4”、“0x1”、“0x0”)-包含$.\ParsedMessage.AccessMask}
使用我的帖子中的函数,将函数粘贴到这条线上方,为延迟弧集提供策略,这很有效,只是花了我一点时间过滤掉我需要的字段,真是太感谢你了。这太棒了。我的筛选:$AccessMask=$PsObject |选择字符串模式“Access Mask.*?”-AllMatches | foreach{$\.matches.value}$AccessMask=$AccessMask-replace“(\t){2}|”,“$AccountName=$PsObject |选择字符串模式“帐户名”。\n”-AllMatches | foreach{$\.matches.value}$AccountName=$AccountName-replace“(\t){2}”我在我需要的4个文件上使用了这个过滤器,这样我就可以看到谁最后访问了一个文件。非常感谢ArcSetThanks Leon花时间分享您的专业知识,这太棒了,最后我使用了ArcSet的代码,因为我更容易添加所需的其他信息。祝你度过愉快的一天。我只是想让你投票支持Leon,因为我使用了你的过滤和ArcSet的代码来检索和过滤数据。
$ArrayList = New-Object System.Collections.ArrayList
Get-WinEvent -logname security -FilterXPath "*[System[EventID=4663]]" -MaxEvents 10 | %{
$XML = [xml]$_.toXml()
$PsObject = New-Object psobject
$XML.Event.EventData.Data | %{
$PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
}
$ArrayList.add($PsObject) | out-null
}
$ArrayList | Select AccessMask
function Parse-WindowsEvents(){
param(
[Parameter(Position=1, ValueFromPipeline)]
[object[]]$Events
)
process{
$ArrayList = New-Object System.Collections.ArrayList
$Events | %{
$EventObj = $_
$EventObjFullName = $_.GetType().FullName
if($EventObjFullName -like "System.Diagnostics.EventLogEntry"){
$EventObj = Get-WinEvent -LogName security -FilterXPath "*[System[EventRecordID=$($_.get_Index())]]"
}elseif($EventObjFullName -like "System.Diagnostics.Eventing.Reader.EventLogRecord"){
}else{
throw "Not An Event System.Diagnostics.Eventing.Reader.EventLogRecord or System.Diagnostics.EventLogEntry"
}
$PsObject = New-Object psobject
$EventObj.psobject.properties | %{
$PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_.Value
}
$XML = [xml]$EventObj.toXml()
$PsObject2 = New-Object psobject
$XML.Event.EventData.Data | %{
$PsObject2 | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
}
$PsObject | Add-Member -MemberType NoteProperty -Name ParsedMessage -Value $PsObject2
$ArrayList.add($PsObject) | out-null
}
return $ArrayList
}
}
Get-EventLog -LogName Security | select -first 3 | Parse-WindowsEvents | select id, recordid -ExpandProperty parsedmessage | fl
get-winevent -logName security | parse-winevents