发表新帖
发表新帖

Get-WinEvent Obtain Interactive Logon Messages Only

后端 未结
关注
5 1221
南方客
南方客 2021-01-15 15:13

I am attempting to get this PS script going to pull the Security log from multiple machines and only search for the Event ID of 4624 and only show me the logs that contain \

相关标签:
5条回答
  • 盖世英雄少女心
    2021-01-15 15:32

    EventRecord.properties have logon type in the list. To filter out successful logon events of interactive logon type for today:

    Get-winevent -FilterHashtable @{logname='security'; id=4624; starttime=(get-date).date} | where {$_.properties[8].value -eq 2}
    0 讨论(0)
  • -上瘾入骨i
    2021-01-15 15:34

    FYI in case anyone else ever attempts to do this same thing, it was looking for extra spaces after "Logon Type:" It wanted it to look like it does in the log iteself, "Logon Type: 2" I am not sure how to get around this in powershell, but putting it that way did the trick for me.

    0 讨论(0)
  • 忘了有多久
    2021-01-15 15:39

    For optimal speed you should filter via Xpath like this:

    Get-WinEvent -ProviderName 'Microsoft-Windows-Security-Auditing' -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='LogonType']='2']]" | select -First 1
    0 讨论(0)
  • 刺人心
    2021-01-15 15:42

    I worked on several approaches to this problem. I thought they might be useful since identifying logon types is important. -RMF

    Get-WinEvent -max 1000 | where { $_.Message | findstr /C:"Logon Type"} | Select Message | fl * | findstr /C:"Logon Type"

    Logon Type: 5 Logon Type: 7 ...

    Get-WinEvent Security -max 1000| Select ID,Level,Message | where { $_.Message | findstr /C:"Logon Type"} | ft -auto -wrap | more

    Id Level Message

    4624 0 An account was successfully logged on.

           Subject:
           Security ID:        (deleted)
           Account Name:        (deleted)
           Account Domain:        (deleted)
           Logon ID:        0x3e7

       Logon Type:            5

    ....

    Get-WinEvent -max 10 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | ft -auto -wrap | more

    TimeCreated MachineName Message ----------- ----------- ------- 6/29/2011 12:36:35 PM (deleted) An account was successfully logged on.

                                  Subject:
                                  Security ID:        (deleted)
                                  Account Name:        (deleted)
                                  Account Domain:        (deleted)
                                  Logon ID:        0x3e7

                              Logon Type:            5

    ...

    Get-WinEvent -max 10 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | Select-string "Logon Type" | more

    @{TimeCreated=06/29/2011 12:36:35; MachineName=(deleted); Message=An account was successfully logged on.

    Subject:
                                  Security ID:        (deleted)
                                  Account Name:        (deleted)
                                  Account Domain:        (deleted)
                                  Logon ID:        0x3e7

                              Logon Type:            5

    ...

    This last approach digs select information out of the Message per logon event, adds the TimeCreated field and gives something like a database format for all logon attempts (Id=4624) in the security log. The results are appended to a csv.

    $LogonTypes=Get-WinEvent -FilterHashtable @{Logname='security';Id=4624}

    foreach ($item in $ $LogonTypes) {($item | Select TimeCreated, Message | fl * | findstr /G:search.lst) -replace" ","" -join "," | out-file -append test3.csv }

    where (columnar) search.lst :

    TimeCreated Security ID: Account Name: Account Domain: Logon ID: Logon Type: Logon GUID: Process Name:

    0 讨论(0)
  • 有刺的猬
    2021-01-15 15:46

    The solution to the problem of how to match the white space between the semicolon and the number 2 in the first code example at the top of this article is to use a PowerShell regular expression pattern written like this \s+.

    The pattern characters are case sensitive and typically used with the "-match" operator, but can be effectively employed with the Select-String commandlet as written in the poster’s original query. The modified code would look like this:

    Get-WinEvent -FilterHashTable @{LogName="Security";ID=4624} | where { $_.Message | Select-String "Logon Type:\s+2"}

    Additionally, if the PowerShell script needs to query older operating systems that still use classical event logs, the Get-EventLog commandlet can be likewise employed with the same pattern as shown here:

    Get-EventLog -LogName Security -InstanceID 4624 | Where {$_.Message -match "Logon Type:\s+2"}

    PowerShell regular expression references:

    https://technet.microsoft.com/en-us/magazine/2007.11.powershell.aspx https://www.petri.com/powershell-string-parsing-with-regular-expressions

    Note: the regex pattern referenced in this answer is described by Microsoft as a “character class”.

    Clark Froebe

    0 讨论(0)
 看不清?
提交回复
热议问题