論壇里面有人詢問如何使用powershell腳本查詢文件修改的審計日志�����,豆子服務器沒開這個功能���,不過嘗試寫了個類似的腳本可以查詢日志����,并輸出對應的xml內容���。
基本方法是get-winevent, 可以指定對應的eventid���,獲取列表。如果想獲取這個事件具體的內容���,需要根據不同事件的xml內容進行變化�。
比如
$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable @{Logname='Security';Id=4771} -MaxEvents 1 $eventXML = [xml]$Event.ToXml() $eventxml.event.event.data 
根據這個思路,我如果想獲取最新的20個4771的事件日志�����,并輸出結果
$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable @{Logname='Security';Id=4771} -MaxEvents 20 # Parse out the event message data ForEach ($Event in $Events) { # Convert the event to XML $eventXML = [xml]$Event.ToXml() # Iterate through each one of the XML message properties For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { # Append these as object properties Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text' } } $events | select Message, TargetUserName, ipaddress,timecreated | Out-GridView 
有的時候��,事件的數目很多���,我希望對這個時間進行一個限制。千萬別用 where-object 的方式來過濾�����,不然等到地老天荒也未必出結果�����。
我們需要通過哈希表來過濾
$endtime=get-date$starttime=$endtime.addminutes(-1) $eventcritea = @{logname='security';id=4740;starttime=$starttime;endtime=$endtime}另外一種常見的方式是通過xmlfilter來過濾日志
首先�����,我們可以通過event viewer來自定義一個xpath
因為是不同的事件��,他的eventdata結果是不一樣的����,因此我做了些變動�。
[xml]$xmlFilter = @" <QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[(EventID=1002) and TimeCreated[timediff(@SystemTime) <= 604800000]]]</Select> </Query> </QueryList> “@ #Get-WinEvent -ComputerName $DC.DC -LogName Security -FilterXPath "*[System[(EventID=529 or EventID=644 or EventID=675 or EventID=676 or EventID=681 or EventID=4625) and TimeCreated[timediff(@SystemTime) <= 86400000]]]" #-MaxEvents 50 $Events = Get-WinEvent -ComputerName syddc01 -FilterXML $xmlFilter ForEach ($Event in $Events) { # Convert the event to XML $eventXML = [xml]$Event.ToXml() # Iterate through each one of the XML message properties For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { # Append these as object properties Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name "App" -Value $eventXML.Event.EventData.Data[5] } } $Events | select Message, App, providerName, timecreated | Out-GridView 結果如下
最后再給一個例子,我希望獲取lockout用戶的信息以及他們是在哪里被鎖住的�����,這個日志我們查看4771或者4740���。4771的日志過多��,查詢太慢���,所以這里我已4740為例。
eventcritea = @{logname='security';id=4740} $Events =get-winevent -ComputerName (Get-ADDomain).pdcemulator -FilterHashtable $eventcritea #$Events = Get-WinEvent -ComputerName syddc01 -Filterxml $xmlfilter # Parse out the event message data ForEach ($Event in $Events) { # Convert the event to XML $eventXML = [xml]$Event.ToXml() # Iterate through each one of the XML message properties For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { # Append these as object properties Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text' } } $events | select TargetUserName,timecreated, targetdomainname | Out-GridView -Title LockOutStatus break; Search-ADAccount -LockedOut | ForEach-Object {Unlock-ADAccount -Identity $_.distinguishedname }
本文出自 “麻婆豆腐” 博客
