从System.Diagnostics.EventLogEntry获取事件的详细信息
问题描述 投票:0回答:2
我正在编写PowerShell脚本来关注一些事件日志条目。我可以订阅安全日志并在记录其中一个事件时触发脚本块。但是,我找不到如何从事件对象获取相关数据。我正在与之交互的事件对象的类型为System.Diagnostics.EventLogEntry。我检查了该类的documentation,并使用脚本块将所有可用属性写入控制台:
$CredentialGuardEventIds = 5379,5381,5382
$SecurityLog = Get-EventLog -List | Where-Object {$_.Log -eq 'Security'}
Register-ObjectEvent -InputObject $SecurityLog -SourceIdentifier NewCredentialEvent -EventName EntryWritten -Action {
$entry = $event.SourceEventArgs.Entry
if ($CredentialGuardEventIds -contains $entry.EventID) {
Write-Host "Event $($entry.EventID) occured"
Write-Host "CanRaiseEvents: $($entry.CanRaiseEvents)"
Write-Host "Category: $($entry.Category)"
Write-Host "CategoryNumber: $($entry.CategoryNumber)"
Write-Host "Container: $($entry.Container)"
Write-Host "Data: $($entry.Data)"
Write-Host "DesignMode: $($entry.DesignMode)"
Write-Host "EntryType: $($entry.EntryType)"
Write-Host "EventID: $($entry.EventID)"
Write-Host "Events: $($entry.Events)"
Write-Host "Index: $($entry.Index)"
Write-Host "InstanceId: $($entry.InstanceId)"
Write-Host "MachineName: $($entry.MachineName)"
Write-Host "Message: $($entry.Message)"
Write-Host "ReplacementStrings: $($entry.ReplacementStrings)"
Write-Host "Site: $($entry.Site)"
Write-Host "Source: $($entry.Source)"
Write-Host "TimeGenerated: $($entry.TimeGenerated)"
Write-Host "TimeWritten: $($entry.TimeWritten)"
Write-Host "UserName: $($entry.UserName)"
}
}
输出以下数据:
CanRaiseEvents:
Category: (13824)
CategoryNumber: 13824
Container:
Data:
DesignMode:
EntryType: SuccessAudit
EventID: 5381
Events:
Index: 771286
InstanceId: 5381
MachineName: REDACTED
Message: Vault credentials were read.
Subject:
Security ID: S-1-5-26-2325928431-9938217593-9384716351-3004
Account Name: redacted
Account Domain: REDACTED
Logon ID: 0x44d9f
This event occurs when a user enumerates stored vault credentials.
ReplacementStrings: S-1-5-21-2356930457-929305828-1234252251-1534 redacted REDACTED 0x3459f 142 6 2019-09-20T23:33:31.671135000Z 15136
Site:
Source: Microsoft-Windows-Security-Auditing
TimeGenerated: 09/24/2019 21:26:27
TimeWritten: 09/24/2019 21:26:27
UserName:
但是,我感兴趣的数据显示在事件查看器的“详细信息”选项卡中:
如何从System.Diagnostics.EventLogEntry对象访问“详细信息”窗格中的数据?
2个回答
0
投票
投票
在我看来,信息在message属性中,但是我没有您要查找的事件。
0
投票
投票
尽管我没有这些ID的事件,但是以下演示代码应该可以使您有所了解。使用Get-WinEvent,您可以像这样获取XML数据:
$result = Get-WinEvent -FilterHashtable @{LogName="Security";Id=4624} -MaxEvents 100 | ForEach-Object {
# convert the event to XML and grab the Event node
$eventXml = ([xml]$_.ToXml()).Event
# get the 'TargetDomainName' value and check it does not start with 'NT AUTHORITY'
$domain = $eventXml.EventData.Data[$dataItems['TargetDomainName']].'#text'
if ($domain -ne 'NT AUTHORITY' ) {
[PSCustomObject]@{
Domain = $domain
UserName = $eventXml.EventData.Data[$dataItems['TargetUserName']].'#text'
UserSID = $eventXml.EventData.Data[$dataItems['TargetUserSid']].'#text'
LogonType = $logonTypes[[int]$eventXml.EventData.Data[$dataItems['LogonType']].'#text']
Date = [DateTime]$eventXml.System.TimeCreated.SystemTime
Computer = $eventXml.System.Computer
}
}
}
$result | Format-Table -AutoSize
希望有所帮助
最新问题
- 在 mac m1 上安装画布依赖项时出现问题
- 华丽的TabBarItem重定向到另一个页面
- NextJS v14 构建错误与 fetch
- PHP 致命错误:未捕获运行时异常:无法在 SuiteCRM 全新安装上创建 Doctrine 代理目录
- 灯丝 - FullCalendar 过滤器
- 当间隔开始时间不是午夜时,将 5 分钟间隔分组为 15 分钟
- Azure:如何从 Azure 数据工厂触发网络受限的逻辑应用程序
- 在 Firebird 3 中使用 isql-fb 创建用户失败
- 即使在程序结束后我也想存储一个值
- flutter url_launcher 抛出 PlatformException(通道错误,无法在通道上建立连接。,null,null)
- JPQL 如何 JOIN FETCH 与列表的任何匹配条件
- LinearLayout 中的 TextView 被另一个 TextView 推到外面
- 异常堆栈在 Pycharm 中不可点击
- 如何强制 dotnetpublish 在具有多个模块的解决方案上使用发布配置
- 禁用网站的导航栏在悬停时展开以检查元素之间的间距
- 存储库方法getReferenceById是否真的延迟加载以及如何测试它是否抛出异常?
- TypeError:createContext 不是 Next.js 应用程序中的函数
- Wpf DataGrid SelectedIndex 在单元格编辑后返回相同的值
- 按同一消息字段对时间序列数据进行分组,以及它们是否存在于记录 eventtime 的最后一小时[已关闭]
- 错误:AADSTS900144 - 请求正文中缺少“grant_type”参数
© www.soinside.com 2019 - 2024. All rights reserved.