如何用 Windows 防火墙的显示名称替换此 PowerShell 命令中的 Filter Origin?
[英]How to replace Filter Origin in this PowerShell command with Windows Firewall's display name?
问题描述
Get-WinEvent -FilterHashtable @{ LogName="Security"; Id=5152; } | ? { $_.Message -like "*Outbound*" -and -not($_.message -like "*ICMP*")} | select Message | ft -wrap
Found that in here , after running it, the results look like this:
发现在这里,运行之后,结果是这样的:
filter origin has this ID which is Firewall's unique name but I want to see a more user friendly name so I can understand immediately which Firewall rule, based on its display name that I set, blocked this connection. filter origin 有这个 ID,它是防火墙的唯一名称,但我想看到一个对用户更友好的名称,这样我可以立即了解哪个防火墙规则(基于我设置的显示名称)阻止了此连接。
Update: I want to do something like this.更新:我想做这样的事情。 but it doesn't work like this and I need help fixing it.但它不是这样工作的,我需要帮助修复它。 basically, I want to keep the same output format that the original script shows and only replace things like this {a42a62ec-83d9-4ab5-9d54-4dbd20cfab17} with their display name.基本上,我想保留与原始脚本显示相同的 output 格式,并且仅将{a42a62ec-83d9-4ab5-9d54-4dbd20cfab17}替换为其显示名称。
$data = (Get-WinEvent -FilterHashtable @{ LogName="Security"; Id=5152; } |
? { $_.Message -like "*Outbound*" -and -not($_.message -like "*ICMP*")}).message
$data -replace "(?<=Filter Origin:[^{]+){.+?}",{(Get-NetFirewallRule -Name $Matches[0]).DisplayName}
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comparison_operators?view=powershell-7.2#replacement-with-a-script-block https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comparison_operators?view=powershell-7.2#replacement-with-a-script-block
2 个解决方案
解决方案1
2 2023-01-03 14:44:40
You can turn events into xml and access each field seperately.您可以将事件转换为 xml 并分别访问每个字段。 I don't have your exact event type.我没有您的确切事件类型。
$a = Get-WinEvent @{ LogName='Security' } -maxevents 1
$xml = [xml]$a.toxml()
$xml.event.eventdata.data
Name #text
---- -----
SubjectUserSid S-1-5-19
SubjectUserName LOCAL SERVICE
SubjectDomainName NT AUTHORITY
SubjectLogonId 0x3e5
PreviousTime 2023-01-03T14:40:58.3894712Z
NewTime 2023-01-03T14:40:58.3975397Z
ProcessId 0x59c
ProcessName C:\Windows\System32\svchost.exe
$xml.event.eventdata.data | ? name -eq processname | % '#text'
C:\Windows\System32\svchost.exe
Get-WinEvent @{ LogName='Security' } | % { $xml = [xml]$_.toxml()
$xml.event.eventdata.data | ? name -eq 'processname' | % '#text' }
解决方案2
1 已采纳 2023-01-03 02:10:32
Did a quick google search and saw this documentation on troubleshooting firewalls, and it points to Get-NetFireWallRule being able to get the display name from the ID.快速进行谷歌搜索并查看了有关防火墙故障排除的文档,它指出Get-NetFireWallRule能够从 ID 中获取显示名称。 That said, you can use some handy RegEx of (?<=Filter Origin:[^{]+){.+?} to get the unique ID and query its friendly name:也就是说,您可以使用(?<=Filter Origin:[^{]+){.+?}的一些方便的正则表达式来获取唯一 ID 并查询其友好名称:
Get-WinEvent -FilterHashtable @{ LogName="Security"; Id=5152; } |
? { $_.Message -like "*Outbound*" -and $_.Message -notlike "*ICMP*" } |
Select TimeCreated, @{
Name = 'Msg'
Expression = {
if ($_.Message -match ($pattern = '(?<=Filter Origin:[^{]+){.+?}'))
{
$_.Message -replace $pattern, (Get-NetFirewallRule -Name $Matches[0]).DisplayName
}
else
{
$_.Message
}
}
} | Ft -Wrap
Placing it inside an if statement allows it to leave the message alone if no match was found for patterns that may be the unique ID.如果没有找到可能是唯一 ID 的模式的匹配项,将它放在 if 语句中允许它不理会消息。 See RegEx101 for more info on the pattern itself.有关模式本身的更多信息,请参阅RegEx101 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.