Create variable from Microsoft Security event ID message for Account Name and Caller Computer Name.

huangapple go评论60阅读模式
英文:

Create variable from Microsoft Security event ID message for Account Name and Caller Computer Name

问题

以下是翻译好的部分:

我正在使用 PowerShell 使用以下代码提取被锁定用户的最新事件ID:

Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4740} -MaxEvents 1

然后,我将消息转换为变量。当我显示消息时,它看起来像下面的屏幕。如何解析数据以创建两个单独的变量?第一个变量将是帐户名称,第二个变量将是调用者计算机名称。所以,我应该最终得到以下内容:

$Account = []
$Caller = [] 

Create variable from Microsoft Security event ID message for Account Name and Caller Computer Name.

英文:

I am using PowerShell to pull the most recent event ID for a locked out user using the following code:

Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4740} -MaxEvents 1

Then I turn the message into a variable. When I show the message it looks like the screen below. How can I parse the data to create two separate variables. The first variable would be the Account Name and the second variable would be the caller computer name. So I should end up with below

$Account = []
$Caller = [] 

Create variable from Microsoft Security event ID message for Account Name and Caller Computer Name.

答案1

得分: 1

给定日志条目的事件类型特定信息通过 Get-WinEvent 返回的 EventLogRecord 对象的 .Properties 集合来公开,该集合仅包含值(没有属性名称),可以通过每个元素的 .Value 属性提取。

因此,您需要知道感兴趣的值的索引才能提取它们。

我从 此问题 中的代码推断出索引 01 分别指的是被锁定的用户的用户名和发生锁定的计算机。

因此:

$evt = Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4740} -MaxEvents 1

$account, $computer = $evt.Properties[0, 1].Value

请注意以下技术的使用:

  • 多重赋值(在左侧有多个目标变量)
  • PowerShell 对多个索引的支持,将目标元素作为数组返回。
  • 成员访问枚举:能够访问集合上的属性以返回其元素的属性值。
英文:

<!-- language-all: sh -->

The event-type-specific information of a given log entry is surfaced via the .Properties collection of the EventLogRecord objects returned by Get-WinEvent, which contains values only (no property names), which can be extracted via each element's .Value property

Therefore, you need to know the indices of the values of interest in order to extract them.

I infer from the code in this question that indices 0 and 1 refer to the locked-out user's username and the machine on which the lockout occurred, respectively.

Therefore:

$evt = Get-WinEvent -FilterHashTable @{LogName=&quot;Security&quot;; ID=4740} -MaxEvents 1

$account, $computer = $evt.Properties[0, 1].Value

Note the use of the following techniques:

  • A multi-assigment (multiple target variables on the LHS)
  • PowerShell's support for multiple indices, which returns the targeted elements as an array.
  • Member-access enumeration: the ability to access a property on a collection to have the property values of its elements returned.

huangapple
  • 本文由 发表于 2023年6月11日 21:49:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/76450781.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定