Powershell 安全日志 Get-EventLog [英] Powershell Security Log Get-EventLog

问题描述

我正在尝试在 powershell 中写一些东西，并且对 powershell 完全陌生，我需要帮助.我要做的是从安全日志中获取信息.具体来说，用户在过去两周内的最后一次登录.到目前为止，我拥有的代码是根据最近 100 个事件获取事件 ID 4624 的登录名.这不仅返回用户，还返回计算机.如何在两周内将结果仅限于用户?这甚至可能吗?

I am trying to write something up in powershell and completely new to powershell, I need help. What I'm trying to do is get information from the Security Log. Specifically, the last login for users over the last two weeks. The code that I have so far is getting login's for the event ID 4624 based on the last 100 events. This is also returning not just users but computers as well. How can I limit the results to just users over a period of two weeks? Is this even possible?

$eventList = @()
Get-EventLog "Security" -After $Date `
    | Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10} `
    | foreach-Object {
        $row = "" | Select UserName, LoginTime
        $row.UserName = $_.ReplacementStrings[5]
        $row.LoginTime = $_.TimeGenerated
        $eventList += $row
        }
$eventList

用代码解决

$Date = [DateTime]::Now.AddDays(-14)
$Date.tostring("MM-dd-yyyy"), $env:Computername
$eventList = @()
Get-EventLog "Security" -After $Date `
    | Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10 -and $_.ReplacementStrings[5] -notlike "*$"} `
    | foreach-Object {
        $row = "" | Select UserName, LoginTime
        $row.UserName = $_.ReplacementStrings[5]
        $row.LoginTime = $_.TimeGenerated
        $eventList += $row
        }
$eventList

推荐答案

使用 -before 和 -after 参数按日期过滤日志.使用 get-help get-eventlog -full 查看所有参数.

Use -before and -after parameters to filter the log by date. Use get-help get-eventlog -full to see all the parameters.

这篇关于Powershell 安全日志 Get-EventLog的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！