正在尝试分析事件日志xml以获取targetusername、登录类型、timecreated列
由于属性是如何存储在正在尝试分析事件日志xml以获取targetusername、登录类型、timecreated列,xml,parsing,powershell,events,logging,Xml,Parsing,Powershell,Events,Logging,由于属性是如何存储在$XMLEntryobject中的,我无法让下面的脚本输出targetusername和logon type列。我在运行下面的代码时收到以下错误: 无法将值“System.Object[]”转换为类型 “System.Xml.XmlDocument”。错误:“此文档已经有一个 “DocumentElement”节点。“ $ComputerName='fod71247' $XMLFilter=@” *[系统[(EventID=4624或EventID=4634或EventID=
$XMLEntryobject$ComputerName='fod71247'
$XMLFilter=@”
*[系统[(EventID=4624或EventID=4634或EventID=4625)
和
创建的时间[@SystemTime='2015-10-30T12:00:00:000Z'和@SystemTime='2015-10-31T00:00:00:000Z']]
和
EventData[Data[@Name='TargetUserName']和(Data='c660503')]
和
EventData[Data[@Name='LogonType']和(Data='7'或Data='2')]]
"@
$Events=Get-WinEvent-computername$computername-FilterXml$XMLFilter
foreach($Events中的事件){
$EventXML+=[XML]$Events.ToXML()
}
foreach($EventXML中的XMLEntry){
foreach($XMLEntry.Event.EventData.Data中的属性){
如果($Property.Name-eq“TargetUserName”-和$Property.Name-eq“TimeCreated”-和$Property.Name-eq“LogonType”-和$Property.。#text'-ne($ComputerName+“$”)){
写入主机$Property。“#文本”
}
}
}
$result=$computername|%{
"Checking $_ NPS " |write-verbose
icm -ComputerName $_ -ScriptBlock {
$server=$env:computername
Get-WinEvent -FilterXml "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=6273) and TimeCreated[timediff(@SystemTime) <= 3600000]]]</Select></Query></QueryList>" -maxevent 100 |
%{
$o="dummy"|select server,machinename,MAC #quickly create an object with server,machinename and mac properties
$o.server=$server
[xml]$ev=$_.toXML();$ev.event.eventdata.data | %{ #parse the event data to extract useful infos
if($_.name -eq "SubjectMachineName") {$o.machinename=$_."#text"}
elseif($_.name -eq "CallingStationID") {$o.mac=$_."#text"}
}
}
$o #return the created object
}
}
$result |select machinename,mac,server -uniq
$result=$computername |%{
“检查$NPS”|写详细内容
icm-ComputerName$\脚本块{
$server=$env:computername
获取WinEvent-FilterXml“*[System[Provider[@Name='Microsoft-Windows-Security-Auditing']和(EventID=6273)以及TimeCreated[timediff(@SystemTime)=3600000]]””-maxevent 100|
%{
$o=“dummy”|选择服务器、machinename、MAC#快速创建具有服务器、machinename和MAC属性的对象
$o.server=$server
[xml]$ev=$\uxml();$ev.event.eventdata.data |%{#解析事件数据以提取有用的信息
if($\u0.name-eq“SubjectMachineName”){$o.machinename=$\u0.name.\35; text”}
elseif($35; name-eq“CallingStationID”){$o.mac=$35; text}
}
}
$o#返回创建的对象
}
}
$result |选择machinename、mac、服务器-uniq
$result=$computername|%{
"Checking $_ NPS " |write-verbose
icm -ComputerName $_ -ScriptBlock {
$server=$env:computername
Get-WinEvent -FilterXml "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=6273) and TimeCreated[timediff(@SystemTime) <= 3600000]]]</Select></Query></QueryList>" -maxevent 100 |
%{
$o="dummy"|select server,machinename,MAC #quickly create an object with server,machinename and mac properties
$o.server=$server
[xml]$ev=$_.toXML();$ev.event.eventdata.data | %{ #parse the event data to extract useful infos
if($_.name -eq "SubjectMachineName") {$o.machinename=$_."#text"}
elseif($_.name -eq "CallingStationID") {$o.mac=$_."#text"}
}
}
$o #return the created object
}
}
$result |select machinename,mac,server -uniq
$result=$computername |%{
“检查$NPS”|写详细内容
icm-ComputerName$\脚本块{
$server=$env:computername
获取WinEvent-FilterXml“*[System[Provider[@Name='Microsoft-Windows-Security-Auditing']和(EventID=6273)以及TimeCreated[timediff(@SystemTime)=3600000]]””-maxevent 100|
%{
$o=“dummy”|选择服务器、machinename、MAC#快速创建具有服务器、machinename和MAC属性的对象
$o.server=$server
[xml]$ev=$\uxml();$ev.event.eventdata.data |%{#解析事件数据以提取有用的信息
if($\u0.name-eq“SubjectMachineName”){$o.machinename=$\u0.name.\35; text”}
elseif($35; name-eq“CallingStationID”){$o.mac=$35; text}
}
}
$o#返回创建的对象
}
}
$result |选择machinename、mac、服务器-uniq
$error[0]| fl*-f[XML]$Events.ToXML()[XML]$Event.ToXML()$error[0]| fl*-f[XML]$Events.ToXML()[XML]$Event.ToXML()