我从某个在线位置获取了PowerShell(忘记了从哪里修改(,但我需要过滤掉本地IP地址范围,只显示外部IP。有人能帮我修改脚本吗?
我的本地IP地址范围是192.168.1.0/254
Param(
[array]$V_V_Array_String_ComputerName = ("BAYVL00-118"),
[datetime]$L_V_1_String_QueryStartDate = "November 1, 2020"
)
ForEach ($L_V_1_String_ComputerName in $V_V_Array_String_ComputerName){
$L_V_1_String_EventLogFilter = @{
LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
ID = 21, 23, 24, 25
StartTime = (get-date).adddays(-7)
}
$L_V_1_String_GetAllEventLog = Get-WinEvent -FilterHashtable $L_V_1_String_EventLogFilter -ComputerName $L_V_1_String_ComputerName
$L_V_1_String_GetAllEventLog | Foreach {
$L_V_1_String_EventLog = [xml]$_.ToXml()
[array]$L_V_1_Array_OutputToFile += New-Object PSObject -Property @{
TimeCreated = $_.TimeCreated
User = $L_V_1_String_EventLog.Event.UserData.EventXML.User
IPAddress = $L_V_1_String_EventLog.Event.UserData.EventXML.Address
EventID = $L_V_1_String_EventLog.Event.System.EventID
ServerName = $L_V_1_String_ComputerName
}
}
}
$L_V_1_Array_FilterOutputFile += $L_V_1_Array_OutputToFile | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
if ($_.EventID -eq '21'){"logon"}
if ($_.EventID -eq '22'){"Shell start"}
if ($_.EventID -eq '23'){"logoff"}
if ($_.EventID -eq '24'){"disconnected"}
if ($_.EventID -eq '25'){"reconnection"}
}
}
$L_V_1_Array_CSVFilePath = "A:U_AU_WC_NonFiledFileU_zzzzzzzz_zzzzzzzz_zzzzzzzz_BayVL00_CCCCCCC_SubparticipationLogOnReport.csv"
$L_V_1_Array_FilterOutputFile | Sort TimeCreated | Export-Csv $L_V_1_Array_CSVFilePath -NoTypeInformation
假设你的IP范围是192.168.1.0/24,而不是奇怪的192.168.1.0/254:
Param(
[array]$V_V_Array_String_ComputerName = ("BAYVL00-118"),
[datetime]$L_V_1_String_QueryStartDate = "November 1, 2020"
)
$L_V_1_Array_FilterOutputFile = $null
[PSCustomObject[]]$L_V_1_Array_OutputToFile = @()
ForEach ($L_V_1_String_ComputerName in $V_V_Array_String_ComputerName){
$L_V_1_String_EventLogFilter = @{
LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
ID = 21, 23, 24, 25
StartTime = (get-date).adddays(-7)
}
$L_V_1_String_GetAllEventLog = Get-WinEvent -FilterHashtable $L_V_1_String_EventLogFilter -ComputerName $L_V_1_String_ComputerName
$L_V_1_String_GetAllEventLog | Foreach {
$L_V_1_String_EventLog = [xml]$_.ToXml()
if ($L_V_1_String_EventLog.Event.UserData.EventXML.Address -ne "LOCAL" `
-and $L_V_1_String_EventLog.Event.UserData.EventXML.Address -notmatch "^192.168.1.")
{
[array]$L_V_1_Array_OutputToFile += [PSCustomObject]@{
TimeCreated = $_.TimeCreated
User = $L_V_1_String_EventLog.Event.UserData.EventXML.User
IPAddress = $L_V_1_String_EventLog.Event.UserData.EventXML.Address
EventID = $L_V_1_String_EventLog.Event.System.EventID
ServerName = $L_V_1_String_ComputerName
Action = switch ($L_V_1_String_EventLog.Event.System.EventID)
{
21 {
"logon"
break
}
22 {
"Shell start"
break
}
23 {
"logoff"
break
}
24 {
"disconnected"
break
}
25 {
"reconnection"
break
}
default {
break
}
}
}
}
}
}
$L_V_1_Array_FilterOutputFile += $L_V_1_Array_OutputToFile | Select TimeCreated, User, ServerName, IPAddress, Action
$L_V_1_Array_CSVFilePath = "A:U_AU_WC_NonFiledFileU_zzzzzzzz_zzzzzzzz_zzzzzzzz_BayVL00_CCCCCCC_SubparticipationLogOnReport.csv"
$L_V_1_Array_FilterOutputFile | Sort TimeCreated | Export-Csv $L_V_1_Array_CSVFilePath -NoTypeInformation
首先,我添加了变量初始化:
$L_V_1_Array_FilterOutputFile = $null
[PSCustomObject[]]$L_V_1_Array_OutputToFile = @()
如果脚本多次运行,这将避免出现问题
其次,我使用PSCustomObject而不是PSObject,这是现在更好的方式。
Third在objet创建中直接更改了"Action"成员(如果此处的switch语句比多个if.更好(
第四,您已经为EventID 22定义了Action成员,但没有检索它(请参阅$L_V_1_String_EventLogFilter(。我保持原样,但如果您想要EventID 22,则需要添加它。
最后,我做得很快,但你可以做一些改进,得到一个可读性更强、速度更快的脚本。