我试图从事件查看器日志中提取所有登录尝试失败的用户名,然后仅列出用户名。但是,每个条目的数据都是文本,因此我很难仅提取名称(在本例中为Intruder123)。它将是存储在数组中的几百个帐户名。
$String = Get-WinEvent @{LogName='Security';ProviderName='Microsoft-Windows-Security-Auditing';ID=4625 } -ComputerName SECRETSERVER |
Select-Object -ExpandProperty Message
$string -match "Account Name: (?<content>.*)"
$matches['content']
数据看起来像这样(多次):
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Intruder123
Account Domain: SECRET.LOCAL
我认为您可以收集更多的信息,如登录失败发生的时间和在哪台计算机上。为此,创建一个结果对象数组。
此外,尝试解析Message属性可能很麻烦,我认为最好从事件中获得XML形式的信息:
$filter = @{LogName='Security';ProviderName='Microsoft-Windows-Security-Auditing';ID=4625 }
$result = Get-WinEvent -FilterHashtable $filter -ComputerName SECRETSERVER | ForEach-Object {
# convert the event to XML and grab the Event node
$eventXml = ([xml]$_.ToXml()).Event
$userName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetUserName' }).'#text'
$computer = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'WorkstationName' }).'#text'
# output the properties you need
[PSCustomObject]@{
Time = [DateTime]$eventXml.System.TimeCreated.SystemTime
UserName = $userName
Computer = $computer
}
}
# output on screen
$result
# output to CSV file
$result | Export-Csv -Path 'X:FailedLogons.csv' -NoTypeInformation