論壇里面有人詢問如何使用powershell腳本查詢文件修改的審計日志,豆子服務器沒開這個功能,不過嘗試寫了個類似的腳本可以查詢日志,并輸出對應的xml內容。
基本方法是get-winevent, 可以指定對應的eventid,獲取列表。如果想獲取這個事件具體的內容,需要根據不同事件的xml內容進行變化。
比如
|
1
2
3
|
$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable @{Logname='Security';Id=4771} -MaxEvents 1 $eventXML = [xml]$Event.ToXml() $eventxml.event.event.data |
根據這個思路,我如果想獲取最新的20個4771的事件日志,并輸出結果
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable @{Logname='Security';Id=4771} -MaxEvents 20 # Parse out the event message data ForEach ($Event in $Events) { # Convert the event to XML $eventXML = [xml]$Event.ToXml() # Iterate through each one of the XML message properties For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { # Append these as object properties Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text' } } $events | select Message, TargetUserName, ipaddress,timecreated | Out-GridView |
有的時候,事件的數目很多,我希望對這個時間進行一個限制。千萬別用 where-object 的方式來過濾,不然等到地老天荒也未必出結果。
我們需要通過哈希表來過濾
|
1
2
3
|
$endtime=get-date$starttime=$endtime.addminutes(-1) $eventcritea = @{logname='security';id=4740;starttime=$starttime;endtime=$endtime} |
另外一種常見的方式是通過xmlfilter來過濾日志
首先,我們可以通過event viewer來自定義一個xpath
因為是不同的事件,他的eventdata結果是不一樣的,因此我做了些變動。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[xml]$xmlFilter = @" <QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[(EventID=1002) and TimeCreated[timediff(@SystemTime) <= 604800000]]]</Select> </Query> </QueryList> “@ #Get-WinEvent -ComputerName $DC.DC -LogName Security -FilterXPath "*[System[(EventID=529 or EventID=644 or EventID=675 or EventID=676 or EventID=681 or EventID=4625) and TimeCreated[timediff(@SystemTime) <= 86400000]]]" #-MaxEvents 50 $Events = Get-WinEvent -ComputerName syddc01 -FilterXML $xmlFilterForEach ($Event in $Events) { # Convert the event to XML $eventXML = [xml]$Event.ToXml() # Iterate through each one of the XML message properties For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { # Append these as object properties Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name "App" -Value $eventXML.Event.EventData.Data[5] } } $Events | select Message, App, providerName, timecreated | Out-GridView |
結果如下
最后再給一個例子,我希望獲取lockout用戶的信息以及他們是在哪里被鎖住的,這個日志我們查看4771或者4740。4771的日志過多,查詢太慢,所以這里我已4740為例。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
eventcritea = @{logname='security';id=4740} $Events =get-winevent -ComputerName (Get-ADDomain).pdcemulator -FilterHashtable $eventcritea#$Events = Get-WinEvent -ComputerName syddc01 -Filterxml $xmlfilter # Parse out the event message data ForEach ($Event in $Events) { # Convert the event to XML $eventXML = [xml]$Event.ToXml() # Iterate through each one of the XML message properties For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { # Append these as object properties Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text' } } $events | select TargetUserName,timecreated, targetdomainname | Out-GridView -Title LockOutStatus break; Search-ADAccount -LockedOut | ForEach-Object {Unlock-ADAccount -Identity $_.distinguishedname } |
本文出自 “麻婆豆腐” 博客
