时间戳

首页 > 解决方案 > Powershell 对事件 ID 4625 进行计数和分组?

powershell - Powershell 对事件 ID 4625 进行计数和分组?

问题描述

如何使用以下 Powershell 脚本获取事件 ID 错误 4625 以及我的 AD 域中的每个 Windows Server 的总数?

$DCServers = Get-ADDomainController -filter * | select -ExpandProperty hostname

$events = @()
$totalCt = 0
$servers = @()

Foreach ($Server in $DCServers)
{
    Write-Host "Calling Get-WinEvent for $Server"
    $serverEvents = Get-WinEvent -ComputerName $Server -FilterHashtable @{ logname = 'Security'; id = 4625 } -EA 0
    if (!$?)
    {
        Write-Host "Get-WinEVent failure for $Server"
        continue
    }
    if ($null -ne $serverEvents)
    {
        $totalCt += $serverEvents.Count
        $servers += [PsCustomObject] @{ $server = $serverEvents.Count }
        Write-Host $server $serverEvents.Count
    }
    
    $serverEvents | ForEach-Object {
        $events += [PsCustomObject] @{
            Date = $_.TimeCreated
            "Event Id" = $_.Id
            "User Name" = $_.Properties[6].Value + "\" + $_.Properties[5].Value ## fixed
            "IPAddress" = $_.Properties[21].Value
            "FailureReason" = (($_.message -split "\n") | Select-String -Pattern "Failure Reason:\s+(.+)").matches[0].groups[1].value
            "Status Code" = $_.message -split '\s{4}' | Select-String -Pattern "Status"
            "Logon Type" = $_.Properties[10].Value
            "DC Logged On" = $_.Properties[13].value ## this is "workstation that processed the request", not the DC Logged On
        }
    }
    
}

$HTML = '<h1>Head</h1>'
$GetDate = Get-Date
$Report = 'C:\clu\temp-4625.html'

#convert the array of events to HTML
$Events |
Select-Object Date, "Event Id", "User Name", "FailureReason", "Status Code", "DC Logged On", "Logon Type" |
Convertto-html -head $HTML -PreContent "<H2>Accounts that Failed to Log On</H2>", "<H2>$GetDate </H2>" -PostContent "<p></p>Total 4625 records: $totalCt <p></p>" |
Out-File $Report -append

Write-Host "Total 4625 records: $totalCt"
Write-Host "4625 records per server:"
$servers | ft -auto

Write-Host "4625 records grouped by user"
$events | group "User Name" | sort Count

目标是查看哪些服务器具有事件 4625,并按内容对其进行分组,以查看哪些 IP 或 AD 帐户在可能的情况下登录失败?

标签: powershell

解决方案

请注意,您还可以从事件的 xml 中获取这些字段:

$a = Get-WinEvent -Max 1 @{logname='Security'; id=4625}
$xml = [xml]$a.ToXml()
$xml.event.EventData.data

Name                      #text
----                      -----
SubjectUserSid            S-1-5-18
SubjectUserName           COMP$
SubjectDomainName         DOM
SubjectLogonId            0x3e7
TargetUserSid             S-1-0-0
TargetUserName            admin
TargetDomainName          COMP
Status                    0xc000006d
FailureReason             %%2313
SubStatus                 0xc000006a
LogonType                 7
LogonProcessName          User32
AuthenticationPackageName Negotiate
WorkstationName           COMP
TransmittedServices       -
LmPackageName             -
KeyLength                 0
ProcessId                 0xa60
ProcessName               C:\Windows\System32\svchost.exe
IpAddress                 127.0.0.1
IpPort                    0

与 .Properties 比较

$a.properties

Value
-----
S-1-5-18
COMP$
DOM
999
S-1-0-0
admin
COMP
-1073741715
%%2313
-1073741718
7
User32
Negotiate
COMP
-
-
0
2656
C:\Windows\System32\svchost.exe
127.0.0.1
0

推荐阅读