发表新帖
发表新帖

Get-WinEvent Obtain Interactive Logon Messages Only

后端 未结
关注
5 1263
南方客
南方客 2021-01-15 15:13

I am attempting to get this PS script going to pull the Security log from multiple machines and only search for the Event ID of 4624 and only show me the logs that contain \

5条回答
  • 刺人心
    刺人心 (楼主)
    2021-01-15 15:42

    I worked on several approaches to this problem. I thought they might be useful since identifying logon types is important. -RMF

    Get-WinEvent -max 1000 | where { $_.Message | findstr /C:"Logon Type"} | Select Message | fl * | findstr /C:"Logon Type"

    Logon Type: 5 Logon Type: 7 ...

    Get-WinEvent Security -max 1000| Select ID,Level,Message | where { $_.Message | findstr /C:"Logon Type"} | ft -auto -wrap | more

    Id Level Message

    4624 0 An account was successfully logged on.

           Subject:
           Security ID:        (deleted)
           Account Name:        (deleted)
           Account Domain:        (deleted)
           Logon ID:        0x3e7

       Logon Type:            5

    ....

    Get-WinEvent -max 10 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | ft -auto -wrap | more

    TimeCreated MachineName Message ----------- ----------- ------- 6/29/2011 12:36:35 PM (deleted) An account was successfully logged on.

                                  Subject:
                                  Security ID:        (deleted)
                                  Account Name:        (deleted)
                                  Account Domain:        (deleted)
                                  Logon ID:        0x3e7

                              Logon Type:            5

    ...

    Get-WinEvent -max 10 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | Select-string "Logon Type" | more

    @{TimeCreated=06/29/2011 12:36:35; MachineName=(deleted); Message=An account was successfully logged on.

    Subject:
                                  Security ID:        (deleted)
                                  Account Name:        (deleted)
                                  Account Domain:        (deleted)
                                  Logon ID:        0x3e7

                              Logon Type:            5

    ...

    This last approach digs select information out of the Message per logon event, adds the TimeCreated field and gives something like a database format for all logon attempts (Id=4624) in the security log. The results are appended to a csv.

    $LogonTypes=Get-WinEvent -FilterHashtable @{Logname='security';Id=4624}

    foreach ($item in $ $LogonTypes) {($item | Select TimeCreated, Message | fl * | findstr /G:search.lst) -replace" ","" -join "," | out-file -append test3.csv }

    where (columnar) search.lst :

    TimeCreated Security ID: Account Name: Account Domain: Logon ID: Logon Type: Logon GUID: Process Name:

    0 讨论(0)
 看不清?
提交回复
热议问题