J. *_*Doe 5 powershell event-log
嘿嘿,,
如何通过 Powershell 读取服务器上所有成功登录的列表?列表中应输出以下字段:TimeGenerator、UserName。我目前陷入以下脚本:我怀疑这是 Split 命令
Clear-Host
Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4624} | ForEach-Object {
$message = $_.Message
$userName = ($message -split "Kontoname: ")[1] -split "`r`n"[1]
[PSCustomObject]@{
TimeGenerated = $_.TimeGenerated
UserName = $userName
}
} | Format-Table TimeGenerated, UserName
我的错误在哪里,或者可能是我的 PowerShell 命令错误?
谁可以帮助我或者有一个脚本示例给我?
问候
Clear-Host
Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4624} | ForEach-Object {
$message = $_.Message
$userName = ($message -split "Kontoname: ")[1] -split "`r`n"[1]
[PSCustomObject]@{
TimeGenerated = $_.TimeGenerated
UserName = $userName
}
} | Format-Table TimeGenerated, UserName
问题似乎是缺少括号,而且您很可能需要0第二个分割的索引:
# This:
$userName = ($message -split "Kontoname: ")[1] -split "`r`n"[1]
# Should be:
$userName = (($message -split 'Kontoname: ')[1] -split "`r`n")[0]
但是,有一种更简单的方法可以从4624 事件中获取目标帐户名称,即获取属性索引 5 处的值。另请注意使用(较新的 cmdlet)而不是..PropertiesGet-WinEventGet-EventLog
Get-WinEvent -FilterHashtable @{ LogName = 'Security'; ID = 4624 } | ForEach-Object {
[PSCustomObject]@{
TimeGenerated = $_.TimeCreated
UserName = $_.Properties[5].Value
}
}
| 归档时间: |
|
| 查看次数: |
312 次 |
| 最近记录: |