我已经为此斗争了几个小时(别笑(。我需要的东西非常简单,但我就是得不到。我避免使用Powershell,但我真的很想把它添加到我的投资组合中。每次我尝试它,它都会激怒我。不管怎样。。。
事件数据如下:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 21/10/2020 14:17:13
Event ID: 4725
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: V-XXXXX1.opXXl.local
Description:
A user account was disabled.
Subject:
Security ID: OPXXLw126389
Account Name: w126389
Account Domain: OPXXL
Logon ID: 0x43846C4
Target Account:
Security ID: OPXXLnmctest
Account Name: nmctest
Account Domain: OPXXL
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4725</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-10-21T13:17:13.084423200Z" />
<EventRecordID>118968190</EventRecordID>
<Correlation />
<Execution ProcessID="640" ThreadID="1280" />
<Channel>Security</Channel>
<Computer>V-NXXXXX1.oXXl.local</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">nmctest</Data>
<Data Name="TargetDomainName">OXXL</Data>
<Data Name="TargetSid">S-1-5-21-3289407757-3693523607-1375118011-18123</Data>
<Data Name="SubjectUserSid">S-1-5-21-3289407757-3693523607-1375118011-1134</Data>
<Data Name="SubjectUserName">w126389</Data>
<Data Name="SubjectDomainName">OXXXL</Data>
<Data Name="SubjectLogonId">0x43846c4</Data>
</EventData>
</Event>
$events = Get-WinEvent -FilterHashtable @{logname="Security";id=4725}
$event = [xml]$events[0].ToXml()
$eventdate = $event | Select-Object -Expand TimeCreated |ForEach-Object {
$date = [DateTime]$_
$date.ToString("yyyy-MM-ddTHH:mm:ss.ffffff")
}
$eventdate + "," + $event.SelectSingleNode("//*[@Name='TargetUserName']")."#text" + ",Account was disabled," + $event.SelectSingleNode("//*[@Name='SubjectUserName']")."#text"
输出如下:
PS C:Windowssystem32> C:Usersw126389Documentsevent logs.ps1
Select-Object : Property "TimeCreated" cannot be found.
At C:Usersw126389Documentsevent logs.ps1:3 char:23
+ $eventdate = $event | Select-Object -Expand TimeCreated |ForEach-Obje ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (#document:PSObject) [Select-Object], PSArgumentException
+ FullyQualifiedErrorId : ExpandPropertyNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand
,nmctest,Account was disabled,w126389
我期望的输出是:
2020-10-21 13:17:13,nmctest,Account was disabled,w126389
你可以看到,我正在获得我需要的其他字段,除了日期之外的所有字段!
如有任何帮助,我们将不胜感激。
谢谢。
TimeCreated是Get-WinEvent:返回的原始EventLogRecord对象的属性
$eventdate = $events[0].TimeCreated.ToString("yyyy-MM-ddTHH:mm:ss.ffffff")