powershell - Powershell 对事件 ID 4625 进行计数和分组?
问题描述
如何使用以下 Powershell 脚本获取事件 ID 错误 4625 以及我的 AD 域中的每个 Windows Server 的总数?
$DCServers = Get-ADDomainController -filter * | select -ExpandProperty hostname
$events = @()
$totalCt = 0
$servers = @()
Foreach ($Server in $DCServers)
{
Write-Host "Calling Get-WinEvent for $Server"
$serverEvents = Get-WinEvent -ComputerName $Server -FilterHashtable @{ logname = 'Security'; id = 4625 } -EA 0
if (!$?)
{
Write-Host "Get-WinEVent failure for $Server"
continue
}
if ($null -ne $serverEvents)
{
$totalCt += $serverEvents.Count
$servers += [PsCustomObject] @{ $server = $serverEvents.Count }
Write-Host $server $serverEvents.Count
}
$serverEvents | ForEach-Object {
$events += [PsCustomObject] @{
Date = $_.TimeCreated
"Event Id" = $_.Id
"User Name" = $_.Properties[6].Value + "\" + $_.Properties[5].Value ## fixed
"IPAddress" = $_.Properties[21].Value
"FailureReason" = (($_.message -split "\n") | Select-String -Pattern "Failure Reason:\s+(.+)").matches[0].groups[1].value
"Status Code" = $_.message -split '\s{4}' | Select-String -Pattern "Status"
"Logon Type" = $_.Properties[10].Value
"DC Logged On" = $_.Properties[13].value ## this is "workstation that processed the request", not the DC Logged On
}
}
}
$HTML = '<h1>Head</h1>'
$GetDate = Get-Date
$Report = 'C:\clu\temp-4625.html'
#convert the array of events to HTML
$Events |
Select-Object Date, "Event Id", "User Name", "FailureReason", "Status Code", "DC Logged On", "Logon Type" |
Convertto-html -head $HTML -PreContent "<H2>Accounts that Failed to Log On</H2>", "<H2>$GetDate </H2>" -PostContent "<p></p>Total 4625 records: $totalCt <p></p>" |
Out-File $Report -append
Write-Host "Total 4625 records: $totalCt"
Write-Host "4625 records per server:"
$servers | ft -auto
Write-Host "4625 records grouped by user"
$events | group "User Name" | sort Count
目标是查看哪些服务器具有事件 4625,并按内容对其进行分组,以查看哪些 IP 或 AD 帐户在可能的情况下登录失败?
解决方案
请注意,您还可以从事件的 xml 中获取这些字段:
$a = Get-WinEvent -Max 1 @{logname='Security'; id=4625}
$xml = [xml]$a.ToXml()
$xml.event.EventData.data
Name #text
---- -----
SubjectUserSid S-1-5-18
SubjectUserName COMP$
SubjectDomainName DOM
SubjectLogonId 0x3e7
TargetUserSid S-1-0-0
TargetUserName admin
TargetDomainName COMP
Status 0xc000006d
FailureReason %%2313
SubStatus 0xc000006a
LogonType 7
LogonProcessName User32
AuthenticationPackageName Negotiate
WorkstationName COMP
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0xa60
ProcessName C:\Windows\System32\svchost.exe
IpAddress 127.0.0.1
IpPort 0
与 .Properties 比较
$a.properties
Value
-----
S-1-5-18
COMP$
DOM
999
S-1-0-0
admin
COMP
-1073741715
%%2313
-1073741718
7
User32
Negotiate
COMP
-
-
0
2656
C:\Windows\System32\svchost.exe
127.0.0.1
0
推荐阅读
- django - django 和 Angular 4 中的错误 请求的资源上不存在“Access-Control-Allow-Origin”标头
- python - django 查询 - 显示按月分组的新玩家数量
- batch-file - 满足“IF NOT %reply% ==”条件时,Windows Shell 脚本无 ECHO
- python - 没有代表给定数量的可能总和
- sql-server - 经典 ASP Server 和 SQL Server 之间的性能
- elasticsearch - Elasticsearch date_range 聚合性能基准
- java - 每个最后一个不工作的 Spring Thymeleaf
- c# - 替代快速截取窗口的屏幕截图
- java - 如何在杰克逊映射器的帮助下使用单个 JSON 文件创建多种类型的 java 对象?
- javascript - JavaScript - 将抽认卡创建为 PDF