This is a long post that I've edited from a answer I gave on Stack Overflow. Although the post is about how to audit logon information in the Security log of Windows 7, it is also about discovering methods to extract critical information from the 'Message' field of a "Logon Type" (ID=4624).
Get-WinEvent -max 100 | where { $_.Message | findstr /C:"Logon Type"} | Select Message | fl * | findstr /C:"Logon Type"
Logon Type: 5
Logon Type: 7
Logon Type: 7
Logon Type: 7
Logon Type: 7
Logon Type: 5
...
Get-WinEvent Security -max 100 | Select ID,Level,Message | where { $_.Message | findstr /C:"Logon Type"} | ft -auto -wrap | more
Id Level Message
-- ----- -------
4624 0 An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: RMFVPC$
Account Domain: RMFDEVELOPMENT
Logon ID: 0x3e7
Logon Type: 5
....
Now I introduce '-FilterHashtable' parameter which greatly speeds up queries. Below are two commands which do essentially the same thing in about the same period of time:
Get-WinEvent -max 100 -FilterHashtable @{Logname='security';ID=4624} | ft TimeCreated,MachineName,Message -auto -wrap | more
Get-WinEvent -max 100 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | ft -auto -wrap | more
TimeCreated MachineName Message
----------- ----------- -------
6/29/2011 12:36:35 PM rmfvpc An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: RMFVPC$
Account Domain: RMFDEVELOPMENT
Logon ID: 0x3e7
Logon Type: 5
...
Get-WinEvent -max 100 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | Select-string "Logon Type" | more
@{TimeCreated=06/29/2011 12:36:35; MachineName=rmfvpc; Message=An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: RMFVPC$
Account Domain: RMFDEVELOPMENT
Logon ID: 0x3e7
Logon Type: 5
...
This last script allows me to dump pre-selected information from the logon events Message field into a spreadsheet. Very useful.
$LogonTypes=Get-WinEvent -FilterHashtable @{Logname='security';Id=4624}
foreach ($item in $LogonTypes) {($item | Select TimeCreated, Message | fl * | findstr /G:search.lst) -replace" ","" -join "," | out-file -append test3.csv }
where search.lst :
TimeCreated
Security ID:
Account Name:
Account Domain:
Logon ID:
Logon Type:
Logon GUID:
Process Name:
The result is a spreadsheet that looks like this:
However, what I need is to be able to search the message field of multiple 'logon' events types...so on to
0 komentar:
Posting Komentar