[英]How to filter windows event security logs based of security ID (SID) and EventID using PowerShell
When I filter Windows Security logs by EventId and Security Id (SID) Seperately, I get the output. 当我分别通过EventId和Security ID(SID)筛选Windows安全日志时,我得到了输出。 Now I want to merge the two filters.
现在,我想合并两个过滤器。 I want to filter by EventId and SID both.
我想同时通过EventId和SID进行过滤。 If SID is 'System' It should filter it out.
如果SID为“系统”,则应将其过滤掉。 How do I merge the two filters.
如何合并两个过滤器。 Here is the code for Filtering EventIds:
以下是用于过滤EventId的代码:
Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" | where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689} |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
Here is the code for Filtering based of SID: 这是用于基于SID进行过滤的代码:
$out += Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" -FilterXPath '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-21-1004336348-1383384898-1417001333-892045"]]' |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
这对你有用吗?
Get-WinEvent -FilterHashtable @{path='C:\Windows\System32\winevt\Logs\Security.evtx'; data = 'S-1-5-21-1004336348-1383384898-1417001333-892045'}| where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689} |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
It's just another calculated property you add to the first block. 这只是您添加到第一个块中的另一个计算出的属性。 No reason for the separate code block.
没有理由使用单独的代码块。
So, try this to get the combined data you are after. 因此,尝试此操作以获得所需的合并数据。 We, just take you code as is and use the .Net Xml namespace to get the sid or any other item(s) you choose.
我们只需按原样使用您的代码,然后使用.Net Xml命名空间即可获取sid或您选择的任何其他项目。 You can of course filter as you like on the final collection.
当然,您可以根据需要在最终集合中进行过滤。
Clear-Host
Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name="TimeGenerated";Expression={$_."TimeCreated"}},
@{Name="Source";Expression={$_."Id"}},
@{Name="SubjectUserSidValue";Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},Message `
-First 9 `
| Format-table -AutoSize
TimeGenerated Source SubjectUserSidValue Message
------------- ------ ------------------- -------
1/31/2018 5:27:16 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:16 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:16 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:16 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:07 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:07 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:07 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:26:31 AM 4634 S-1-5-21-3... An account was logged off....
1/31/2018 5:26:29 AM 4634 S-1-5-18 An account was logged off....
Update as per OP additional question 根据OP附加问题进行更新
This is what you can grab by array position from the XML. 这是您可以从XML中按数组位置获取的内容。
Name #text
---- -----
SubjectUserSid S-1-5-18
SubjectUserName 2012DC$
SubjectDomainName CONTOSO
SubjectLogonId 0x3e7
TargetUserSid S-1-0-0
TargetUserName postanote
TargetDomainName CONTOSO
Status 0xc000015b
FailureReason %%2308
SubStatus 0x0
LogonType 4
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName 2012DC
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x390
ProcessName C:\Windows\System32\svchost.exe
IpAddress -
IpPort -
So, updating the script becomes... 因此,更新脚本变得...
Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name='TimeGenerated';Expression={$_.'TimeCreated'}},
@{Name='Source';Expression={$_.'Id'}},
@{Name='SubjectUserSidValue';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
@{Name='TargetUserName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
@{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
-First 100 `
| Format-table -AutoSize
* Updating again to reflect the OP next question... * *再次更新以反映OP的下一个问题... *
As per your last question / request Then, for the other values, the update becomes this. 根据您的最后一个问题/请求,然后,对于其他值,更新变为此值。
How to collect the full info before parsing... 解析前如何收集完整信息...
$Event = Get-WinEvent ...
$Event | Select -Property *
$EventXML = [xml]$Event.ToXml()
$EventXML.Event.EventData.Data
Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name='TimeGenerated';Expression={$_.'TimeCreated'}},
@{Name='EventID';Expression={$_.'Id'}},
@{Name='TaskCategory';Expression={$_.'TaskDisplayName'}},
@{Name='SubjectUserSid';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
@{Name='AccountName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
@{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
-First 9 `
| Format-table -AutoSize
TimeGenerated EventID TaskCategory SubjectUserSid AccountName LogonProcessName
------------- ------- ------------ -------------- ----------- ----------------
2/2/2018 2:41:03 AM 4634 Logoff S-1-5-21-376... spadmin
2/2/2018 2:40:53 AM 4624 Logon S-1-0-0 - -
2/2/2018 2:40:51 AM 4634 Logoff S-1-5-21-376... SKY01$
2/2/2018 2:40:37 AM 4634 Logoff S-1-5-18 DC01$
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.