论坛里面有人询问如何使用powershell脚本查询文件修改的审计日志,豆子服务器没开这个功能,不过尝试写了个类似的脚本可以查询日志,并输出对应的xml内容。
基本方法是get-winevent, 可以指定对应的eventid,获取列表。如果想获取这个事件具体的内容,需要根据不同事件的xml内容进行变化。
比如
|
1
2
3
|
$Events
=
Get-WinEvent
-ComputerName syddc01 -FilterHashtable @{Logname=
'Security'
;Id=4771} -MaxEvents 1
$eventXML
=
[xml]
$Event
.ToXml()
$eventxml
.event.event.data
|
根据这个思路,我如果想获取最新的20个4771的事件日志,并输出结果
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
$Events
=
Get-WinEvent
-ComputerName syddc01 -FilterHashtable @{Logname=
'Security'
;Id=4771} -MaxEvents 20
# Parse out the event message data
ForEach
(
$Event
in
$Events
) {
# Convert the event to XML
$eventXML
=
[xml]
$Event
.ToXml()
# Iterate through each one of the XML message properties
For
(
$i
=0;
$i
-lt
$eventXML
.Event.EventData.Data.Count;
$i
++) {
# Append these as object properties
Add-Member
-InputObject
$Event
-MemberType NoteProperty -Force -Name
$eventXML
.Event.EventData.Data[
$i
].name -Value
$eventXML
.Event.EventData.Data[
$i
].
'#text'
}
}
$events
| select Message, TargetUserName, ipaddress,timecreated |
Out-GridView
|
有的时候,事件的数目很多,我希望对这个时间进行一个限制。千万别用 where-object 的方式来过滤,不然等到地老天荒也未必出结果。
我们需要通过哈希表来过滤
|
1
2
3
|
$endtime
=
get-date
$starttime
=
$endtime
.addminutes(-1)
$eventcritea
= @{logname=
'security'
;id=4740;starttime=
$starttime
;endtime=
$endtime
}
|
另外一种常见的方式是通过xmlfilter来过滤日志
首先,我们可以通过event viewer来自定义一个xpath
因为是不同的事件,他的eventdata结果是不一样的,因此我做了些变动。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[xml]
$xmlFilter
= @
"
<QueryList>
<Query Id="
0
" Path="
Application
">
<Select Path="
Application
">*[System[(EventID=1002) and TimeCreated[timediff(@SystemTime) <= 604800000]]]</Select>
</Query>
</QueryList>
“@
#Get-WinEvent -ComputerName $DC.DC -LogName Security -FilterXPath "
*[System[(EventID=529 or EventID=644 or EventID=675 or EventID=676 or EventID=681 or EventID=4625) and TimeCreated[timediff(
@SystemTime
) <= 86400000]]]
" #-MaxEvents 50
$Events = Get-WinEvent -ComputerName syddc01 -FilterXML $xmlFilter
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name "
App" -Value
$eventXML
.Event.EventData.Data[5]
}
}
$Events
| select Message, App, providerName, timecreated |
Out-GridView
|
结果如下
最后再给一个例子,我希望获取lockout用户的信息以及他们是在哪里被锁住的,这个日志我们查看4771或者4740。4771的日志过多,查询太慢,所以这里我已4740为例。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
$eventcritea
= @{logname=
'security'
;id=4740}
$Events
=
get-winevent
-ComputerName (
Get-ADDomain
).pdcemulator -FilterHashtable
$eventcritea
#$Events = Get-WinEvent -ComputerName syddc01 -Filterxml $xmlfilter
# Parse out the event message data
ForEach
(
$Event
in
$Events
) {
# Convert the event to XML
$eventXML
=
[xml]
$Event
.ToXml()
# Iterate through each one of the XML message properties
For
(
$i
=0;
$i
-lt
$eventXML
.Event.EventData.Data.Count;
$i
++) {
# Append these as object properties
Add-Member
-InputObject
$Event
-MemberType NoteProperty -Force -Name
$eventXML
.Event.EventData.Data[
$i
].name -Value
$eventXML
.Event.EventData.Data[
$i
].
'#text'
}
}
$events
| select TargetUserName,timecreated, targetdomainname |
Out-GridView
-Title LockOutStatus
break
;
Search-ADAccount -LockedOut |
ForEach-Object
{Unlock-ADAccount -Identity
$_
.distinguishedname }
|
本文转自 beanxyz 51CTO博客,原文链接:http://blog.51cto.com/beanxyz/1695288,如需转载请自行联系原作者
