Get-WinEvent 仅获取交互式登录消息 [英] Get-WinEvent Obtain Interactive Logon Messages Only

问题描述

我试图让这个 PS 脚本从多台机器中提取安全日志，只搜索 4624 的事件 ID，只显示包含登录类型:2"或交互式登录的日志.除了仅为交互式登录获取那些日志的部分之外，我还有其他所有工作.这是我的脚本的片段，如果有人知道如何进行此操作，将不胜感激.如果我从登录类型"中取出 2，它就可以工作并且我得到了一切，但是如果在那之后我有任何东西，它不会引发任何错误，但它也不会产生结果.是的，我已经确认我在过滤的时间范围内有交互式登录事件.谢谢.

I am attempting to get this PS script going to pull the Security log from multiple machines and only search for the Event ID of 4624 and only show me the logs that contain "Logon Type: 2" or interactive logon. I have everything else working except for the part of obtaining only those logs for interactive logon's only. Here is a snip of my script, if anyone has any idea how to get this going it would be greatly appreciated. If I take the 2 out of "Logon Type" it works and I get everything, but if I have anything after that it does not kick any errors, but it doesn't yield results either. Yes, I have verified that I have interactive logon events during my filtered timeframe. Thanks.

$服务器;Get-WinEvent -computername $server -FilterHashTable @{Logname=$logname;ID=$eventid;StartTime=$starttime;EndTime=$endtime} |其中 { $_.Message |选择字符串登录类型:2"}

$server; Get-WinEvent -computername $server -FilterHashTable @{Logname=$logname;ID=$eventid;StartTime=$starttime;EndTime=$endtime} | where { $_.Message | Select-String "Logon Type: 2" }

蒂姆

推荐答案

为了获得最佳速度，您应该像这样通过 Xpath 进行过滤:

For optimal speed you should filter via Xpath like this:

Get-WinEvent -ProviderName 'Microsoft-Windows-Security-Auditing' -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='LogonType']='2']]" | select -First 1

这篇关于Get-WinEvent 仅获取交互式登录消息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！