我正在编写PowerShell脚本来关注一些事件日志条目。我可以订阅安全日志并在记录其中一个事件时触发脚本块。但是,我找不到如何从事件对象获取相关数据。我正在与之交互的事件对象的类型为System.Diagnostics.EventLogEntry
。我检查了该类的documentation,并使用脚本块将所有可用属性写入控制台:
$CredentialGuardEventIds = 5379,5381,5382
$SecurityLog = Get-EventLog -List | Where-Object {$_.Log -eq 'Security'}
Register-ObjectEvent -InputObject $SecurityLog -SourceIdentifier NewCredentialEvent -EventName EntryWritten -Action {
$entry = $event.SourceEventArgs.Entry
if ($CredentialGuardEventIds -contains $entry.EventID) {
Write-Host "Event $($entry.EventID) occured"
Write-Host "CanRaiseEvents: $($entry.CanRaiseEvents)"
Write-Host "Category: $($entry.Category)"
Write-Host "CategoryNumber: $($entry.CategoryNumber)"
Write-Host "Container: $($entry.Container)"
Write-Host "Data: $($entry.Data)"
Write-Host "DesignMode: $($entry.DesignMode)"
Write-Host "EntryType: $($entry.EntryType)"
Write-Host "EventID: $($entry.EventID)"
Write-Host "Events: $($entry.Events)"
Write-Host "Index: $($entry.Index)"
Write-Host "InstanceId: $($entry.InstanceId)"
Write-Host "MachineName: $($entry.MachineName)"
Write-Host "Message: $($entry.Message)"
Write-Host "ReplacementStrings: $($entry.ReplacementStrings)"
Write-Host "Site: $($entry.Site)"
Write-Host "Source: $($entry.Source)"
Write-Host "TimeGenerated: $($entry.TimeGenerated)"
Write-Host "TimeWritten: $($entry.TimeWritten)"
Write-Host "UserName: $($entry.UserName)"
}
}
输出以下数据:
CanRaiseEvents:
Category: (13824)
CategoryNumber: 13824
Container:
Data:
DesignMode:
EntryType: SuccessAudit
EventID: 5381
Events:
Index: 771286
InstanceId: 5381
MachineName: REDACTED
Message: Vault credentials were read.
Subject:
Security ID: S-1-5-26-2325928431-9938217593-9384716351-3004
Account Name: redacted
Account Domain: REDACTED
Logon ID: 0x44d9f
This event occurs when a user enumerates stored vault credentials.
ReplacementStrings: S-1-5-21-2356930457-929305828-1234252251-1534 redacted REDACTED 0x3459f 142 6 2019-09-20T23:33:31.671135000Z 15136
Site:
Source: Microsoft-Windows-Security-Auditing
TimeGenerated: 09/24/2019 21:26:27
TimeWritten: 09/24/2019 21:26:27
UserName:
但是,我感兴趣的数据显示在事件查看器的“详细信息”选项卡中:
如何从System.Diagnostics.EventLogEntry
对象访问“详细信息”窗格中的数据?
尽管我没有这些ID的事件,但是以下演示代码应该可以使您有所了解。使用Get-WinEvent
,您可以像这样获取XML数据:
$result = Get-WinEvent -FilterHashtable @{LogName="Security";Id=4624} -MaxEvents 100 | ForEach-Object {
# convert the event to XML and grab the Event node
$eventXml = ([xml]$_.ToXml()).Event
# get the 'TargetDomainName' value and check it does not start with 'NT AUTHORITY'
$domain = $eventXml.EventData.Data[$dataItems['TargetDomainName']].'#text'
if ($domain -ne 'NT AUTHORITY' ) {
[PSCustomObject]@{
Domain = $domain
UserName = $eventXml.EventData.Data[$dataItems['TargetUserName']].'#text'
UserSID = $eventXml.EventData.Data[$dataItems['TargetUserSid']].'#text'
LogonType = $logonTypes[[int]$eventXml.EventData.Data[$dataItems['LogonType']].'#text']
Date = [DateTime]$eventXml.System.TimeCreated.SystemTime
Computer = $eventXml.System.Computer
}
}
}
$result | Format-Table -AutoSize
希望有所帮助