堆栈内存溢出
  简体   繁体   English

如何使用PowerShell根据安全ID(SID)和事件ID过滤Windows事件安全日志

[英]How to filter windows event security logs based of security ID (SID) and EventID using PowerShell

 原文  2018-01-31 07:04:09       powershell/ security/ window/ event-viewer

问题描述

When I filter Windows Security logs by EventId and Security Id (SID) Seperately, I get the output. 当我分别通过EventId和Security ID(SID)筛选Windows安全日志时,我得到了输出。 Now I want to merge the two filters. 现在,我想合并两个过滤器。 I want to filter by EventId and SID both. 我想同时通过EventId和SID进行过滤。 If SID is 'System' It should filter it out. 如果SID为“系统”,则应将其过滤掉。 How do I merge the two filters. 如何合并两个过滤器。 Here is the code for Filtering EventIds: 以下是用于过滤EventId的代码: 

 Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx"  | where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689}  |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select  @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName

Here is the code for Filtering based of SID: 这是用于基于SID进行过滤的代码: 

$out += Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" -FilterXPath '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-21-1004336348-1383384898-1417001333-892045"]]'  |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select  @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName

2 个解决方案

解决方案1
 1  2018-01-31 08:09:07

这对你有用吗? 

Get-WinEvent -FilterHashtable @{path='C:\Windows\System32\winevt\Logs\Security.evtx'; data = 'S-1-5-21-1004336348-1383384898-1417001333-892045'}| where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689}  |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select  @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName

解决方案2
 0 已采纳  2018-01-31 10:37:05

It's just another calculated property you add to the first block. 这只是您添加到第一个块中的另一个计算出的属性。 No reason for the separate code block. 没有理由使用单独的代码块。

So, try this to get the combined data you are after. 因此,尝试此操作以获得所需的合并数据。 We, just take you code as is and use the .Net Xml namespace to get the sid or any other item(s) you choose. 我们只需按原样使用您的代码,然后使用.Net Xml命名空间即可获取sid或您选择的任何其他项目。 You can of course filter as you like on the final collection. 当然,您可以根据需要在最终集合中进行过滤。 

Clear-Host
Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select  @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, 
          @{Name="Source";Expression={$_."Id"}},
          @{Name="SubjectUserSidValue";Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},Message `
          -First 9 `
          | Format-table -AutoSize


TimeGenerated        Source SubjectUserSidValue    Message                                                                      
-------------        ------ -------------------    -------
1/31/2018 5:27:16 AM   4634 S-1-5-18               An account was logged off....
1/31/2018 5:27:16 AM   4624 S-1-0-0                An account was successfully logged on....
1/31/2018 5:27:16 AM   4634 S-1-5-18               An account was logged off....
1/31/2018 5:27:16 AM   4624 S-1-0-0                An account was successfully logged on....
1/31/2018 5:27:07 AM   4634 S-1-5-18               An account was logged off....
1/31/2018 5:27:07 AM   4624 S-1-0-0                An account was successfully logged on....
1/31/2018 5:27:07 AM   4624 S-1-0-0                An account was successfully logged on....
1/31/2018 5:26:31 AM   4634 S-1-5-21-3...          An account was logged off....
1/31/2018 5:26:29 AM   4634 S-1-5-18               An account was logged off....

Update as per OP additional question 根据OP附加问题进行更新

This is what you can grab by array position from the XML. 这是您可以从XML中按数组位置获取的内容。 

Name                      #text                          
----                      -----                          
SubjectUserSid            S-1-5-18                       
SubjectUserName           2012DC$                        
SubjectDomainName         CONTOSO                        
SubjectLogonId            0x3e7                          
TargetUserSid             S-1-0-0                        
TargetUserName            postanote                        
TargetDomainName          CONTOSO                        
Status                    0xc000015b                     
FailureReason             %%2308                         
SubStatus                 0x0                            
LogonType                 4                              
LogonProcessName          Advapi                         
AuthenticationPackageName Negotiate                      
WorkstationName           2012DC                         
TransmittedServices       -                              
LmPackageName             -                              
KeyLength                 0                              
ProcessId                 0x390                          
ProcessName               C:\Windows\System32\svchost.exe
IpAddress                 -                              
IpPort                    -

So, updating the script becomes... 因此,更新脚本变得... 

Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select  @{Name='TimeGenerated';Expression={$_.'TimeCreated'}}, 
          @{Name='Source';Expression={$_.'Id'}},
          @{Name='SubjectUserSidValue';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
          @{Name='TargetUserName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
          @{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
          -First 100 `
          | Format-table -AutoSize

* Updating again to reflect the OP next question... * *再次更新以反映OP的下一个问题... *

As per your last question / request Then, for the other values, the update becomes this. 根据您的最后一个问题/请求,然后,对于其他值,更新变为此值。

How to collect the full info before parsing... 解析前如何收集完整信息... 

$Event = Get-WinEvent ...
$Event | Select -Property *
$EventXML = [xml]$Event.ToXml()
$EventXML.Event.EventData.Data


Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select  @{Name='TimeGenerated';Expression={$_.'TimeCreated'}}, 
        @{Name='EventID';Expression={$_.'Id'}},
        @{Name='TaskCategory';Expression={$_.'TaskDisplayName'}},
        @{Name='SubjectUserSid';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
        @{Name='AccountName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
        @{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
        -First 9 `
        | Format-table -AutoSize



TimeGenerated       EventID TaskCategory SubjectUserSid  AccountName LogonProcessName
-------------       ------- ------------ --------------  ----------- ----------------
2/2/2018 2:41:03 AM    4634 Logoff       S-1-5-21-376... spadmin
2/2/2018 2:40:53 AM    4624 Logon        S-1-0-0         -           -
2/2/2018 2:40:51 AM    4634 Logoff       S-1-5-21-376... SKY01$
2/2/2018 2:40:37 AM    4634 Logoff       S-1-5-18        DC01$
...

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Powershell监视EventID的安全日志 - Monitoring Security logs for EventID using Powershell 导出特定的Windows安全事件日志 - Export Specific Windows Security Event Logs Powershell:如何从 Windows 安全事件日志中提取登录信息? - Powershell: How to extract login information from Windows security event log? Powershell脚本来过滤Windows事件日志 - Powershell script to filter Windows Event Logs 如何使用Powershell命令检查EC2安全组ID? - How to check EC2 security group id using Powershell command? Get-eventlog:如何使用 powershell 获取所有日志(应用程序、系统、安全等) - Get-eventlog: How to get all Logs (Application, System, Security, etc) using powershell 在 PowerShell 中将二进制类型 SID 转换为 System.Security.Principal.SecurityIdentifier - Converting a binary type SID to System.Security.Principal.SecurityIdentifier in PowerShell 在PowerShell中使用Windows事件日志 - Working with Windows Event Logs in PowerShell 使用 Powershell 导出 Windows 事件日志 - Export Windows Event Logs with Powershell 使用Powershell过滤日期和时间的事件日志 - Using Powershell to Filter Event Logs for Both Day and Time
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM